diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-02-12 15:25:31 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-02-12 20:06:22 +0100 |
| commit | fa8d2b668550259e6f78d16fc209c4da1a20b842 (patch) | |
| tree | cfa56bc2941f14626cbecf7e785d6c3a9c000e0d | |
| parent | ce731cb119b501b2de58473c6fb0d205d772c004 (diff) | |
Upgrade playbooks to Ansible 2.0.
| -rw-r--r-- | ansible.cfg | 116 | ||||
| -rw-r--r-- | lib/action_plugins/openldap.py | 86 | ||||
| -rw-r--r-- | roles/IMAP/handlers/main.yml | 2 | ||||
| -rw-r--r-- | roles/IMAP/tasks/imap.yml | 2 | ||||
| -rw-r--r-- | roles/IMAP/tasks/main.yml | 18 | ||||
| -rw-r--r-- | roles/LDAP-provider/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/MSA/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/MX/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/bacula-dir/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/bacula-sd/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/common-LDAP/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/bacula.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/mail.yml | 6 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 57 | ||||
| -rw-r--r-- | roles/common/tasks/munin-node.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/sysctl.yml | 2 | ||||
| -rw-r--r-- | roles/git/tasks/cgit.yml | 2 | ||||
| -rw-r--r-- | roles/git/tasks/gitolite.yml | 4 | ||||
| -rw-r--r-- | roles/git/tasks/main.yml | 6 | ||||
| -rw-r--r-- | roles/lists/tasks/main.yml | 16 | ||||
| -rw-r--r-- | roles/lists/tasks/nginx.yml | 2 | ||||
| -rw-r--r-- | roles/webmail/tasks/main.yml | 10 | ||||
| -rw-r--r-- | roles/webmail/tasks/roundcube.yml | 6 | ||||
| -rw-r--r-- | roles/wiki/handlers/main.yml | 2 | ||||
| -rw-r--r-- | roles/wiki/tasks/main.yml | 4 |
25 files changed, 168 insertions, 191 deletions
diff --git a/ansible.cfg b/ansible.cfg index 3810727..2de77ef 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,107 +1,45 @@ # config file for ansible -- http://ansible.github.com # nearly all parameters can be overridden in ansible-playbook or with command line flags # ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first [defaults] - -# location of inventory file, eliminates need to specify -i - -#hostfile = ./stage_vms - -# location of ansible library, eliminates need to specify --module-path - -library = ./lib/modules:/usr/share/ansible - -# default module name used in /usr/bin/ansible when -m is not specified - -module_name = command - -# home directory where temp files are stored on remote systems. Should -# almost always contain $HOME or be a directory writeable by all users - -remote_tmp = $HOME/.ansible/tmp - -# the default pattern for ansible-playbooks ("hosts:") - -pattern = * - -# the default number of forks (parallelism) to be used. Usually you -# can crank this up. - -forks = 5 - -# the timeout used by various connection types. Usually this corresponds -# to an SSH timeout - -timeout = 10 - -# when using --poll or "poll:" in an ansible playbook, and not specifying -# an explicit poll interval, use this interval - -poll_interval = 15 - -# when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook, -# and not specifying "--sudo-user" or "sudo_user" respectively, sudo -# to this user account - -sudo = True -#sudo_user = root - -# what flags to pass to sudo -sudo_flags = -H LC_ALL=C - -# the following forces ansible to always ask for the sudo password (instead of having -# to add -K to the commandline). Or you can use the environment variable (ANSIBLE_ASK_SUDO_PASS) - -ask_sudo_pass = True - -# the following forces ansible to always ask for the ssh-password (-k) -# can also be set by the environment variable ANSIBLE_ASK_PASS - -#ask_pass = True - -# connection to use when -c <connection_type> is not specified - -transport = ssh - -# remote SSH port to be used when --port or "port:" or an equivalent inventory -# variable is not specified. - -remote_port = 22 - -# if set, always run /usr/bin/ansible commands as this user, and assume this value -# if "user:" is not set in a playbook. If not set, use the current Unix user -# as the default - -#remote_user = root - -# if set, always use this private key file for authentication, same as if passing -# --private-key to ansible or ansible-playbook - -#private_key_file=/path/to/file - -# format of string $ansible_managed available within Jinja2 templates, replacing -# {file}, {host} and {uid} with template filename, host and owner respectively. -# The resulting string is passed through strftime(3) so it may contain any -# time-formatting specifiers. -# -# Example: ansible_managed = DONT TOUCH {file}: call {uid} at {host} for changes +library = ./lib/modules:/usr/share/ansible +remote_tmp = $HOME/.ansible/tmp +forks = 5 +poll_interval = 15 +transport = ssh +remote_port = 22 +module_lang = C +timeout = 10 + +# format of string {{ ansible_managed }} available within Jinja2 +# templates indicates to users editing templates files will be replaced. +# replacing {file}, {host} and {uid} and strftime codes with proper values. ansible_managed = Ansible Managed: modified on %Y-%m-%d %H:%M:%S by {uid}@{host} # additional plugin paths for non-core plugins - action_plugins = ./lib/action_plugins callback_plugins = ./lib/callback_plugins connection_plugins = ./lib/connection_plugins lookup_plugins = ./lib/lookup_plugins vars_plugins = ./lib/vars_plugins -[ssh_connection] +# retry files +# When a playbook fails by default a .retry file will be created in ~/ +# You can disable this feature by setting retry_files_enabled to False +# and you can change the location of the files by setting retry_files_save_path +retry_files_enabled = False +#retry_files_save_path = ~/.ansible-retry + -# if uncommented, sets the ansible ssh arguments to the following. Leaving off ControlPersist -# will result in poor performance, so use transport=paramiko on older platforms rather than -# removing it +[privilege_escalation] +become=True +become_method=sudo +#become_user=root +become_ask_pass=True -control_path = /run/shm/ansible-ssh-%%C + +[ssh_connection] +control_path = ~/.ssh/S.ansible-%%C ssh_args = -oHashKnownHosts=no -oUserKnownHostsFile=./certs/ssh_known_hosts -oStrictHostKeyChecking=yes -oControlMaster=auto -oControlPersist=60s pipelining = True diff --git a/lib/action_plugins/openldap.py b/lib/action_plugins/openldap.py index 5dbf59f..a66c3aa 100644 --- a/lib/action_plugins/openldap.py +++ b/lib/action_plugins/openldap.py @@ -1,86 +1,68 @@ # Manage OpenLDAP databases # Copyright (c) 2014 Guilhem Moulin <guilhem@fripost.org> # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import os -import pipes -import tempfile +from ansible.plugins.action import ActionBase +from ansible.utils.unicode import to_bytes, to_unicode -from ansible.utils import template -from ansible import utils -from ansible.runner.return_data import ReturnData - -class ActionModule(object): +class ActionModule(ActionBase): TRANSFERS_FILES = True - def __init__(self, runner): - self.runner = runner - - def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): - ''' handler for file transfer operations ''' + def run(self, tmp=None, task_vars=None): + if task_vars is None: + task_vars = dict() - if self.runner.noop_on_check(inject): - return ReturnData(conn=conn, comm_ok=True, result=dict(skipped=True)) + if self._play_context.check_mode: + return dict(skipped=True, msg='check mode not supported for this module') - # load up options - options = {} - if complex_args: - options.update(complex_args) - options.update(utils.parse_kv(module_args)) + result = super(ActionModule, self).run(tmp, task_vars) - target = options.get('target', None) - local = options.get('local', 'no') + target = self._task.args.get('target', None) + local = self._task.args.get('local', 'no') if local not in [ 'no', 'file', 'template' ]: - result = dict(failed=True, msg="local must be in ['no','file','template']") - return ReturnData(conn=conn, comm_ok=False, result=result) + return dict(failed=True, msg="local must be in ['no','file','template']") if local != 'no' and target is None: - result = dict(failed=True, msg="target is required in local mode") - return ReturnData(conn=conn, comm_ok=False, result=result) + return dict(failed=True, msg="target is required in local mode") if local == 'no': # run the module remotely - return self.runner._execute_module(conn, tmp, 'openldap', module_args, inject=inject, complex_args=complex_args) - elif '_original_file' in inject: - target = utils.path_dwim_relative(inject['_original_file'], local+'s', target, self.runner.basedir) + return self._execute_module(module_args=self._task.args, task_vars=task_vars) + + if self._task._role is not None: + target = self._loader.path_dwim_relative(self._task._role._role_path, local+'s', target) else: - # the source is local, so expand it here - target = os.path.expanduser(target) + target = self._loader.path_dwim_relative(self._loader.get_basedir(), local+'s', target) + + new_module_args = self._task.args.copy() + new_module_args['target'] = self._connection._shell.join_path(self._make_tmp_path(), 'target.ldif') + new_module_args['local'] = 'no' - options['local'] = 'no' - options['target'] = os.path.join(tmp, os.path.basename(target)) if local == 'template': - # template the source data locally and transfer it + # template the source data locally try: - s = template.template_from_file(self.runner.basedir, target, inject, vault_password=self.runner.vault_pass) - tmpfile = tempfile.NamedTemporaryFile(delete=False) - tmpfile.write(s) - tmpfile.close() - target = tmpfile.name - except Exception, e: - result = dict(failed=True, msg=str(e)) - return ReturnData(conn=conn, comm_ok=False, result=result) - conn.put_file(tmpfile.name, options['target']) - os.unlink(tmpfile.name) - - elif local == 'file': - conn.put_file(target, options['target']) + with open(target, 'r') as f: + template_data = to_unicode(f.read()) + target = self._templar.template(template_data, preserve_trailing_newlines=True, escape_backslashes=False, convert_data=False) + except Exception as e: + result['failed'] = True + result['msg'] = type(e).__name__ + ": " + str(e) + return result - # run the script remotely with the new (temporary) filename - module_args = "" - for o in options: - module_args = "%s %s=%s" % (module_args, o, pipes.quote(options[o])) - return self.runner._execute_module(conn, tmp, 'openldap', module_args, inject=inject) + # transfer the file and run the module remotely + self._transfer_data(new_module_args['target'], target) + result.update(self._execute_module(module_args=new_module_args, task_vars=task_vars)) + return result diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml index 10a717d..2c49611 100644 --- a/roles/IMAP/handlers/main.yml +++ b/roles/IMAP/handlers/main.yml @@ -1,29 +1,29 @@ --- - name: Restart Dovecot service: name=dovecot state=restarted - name: Reload Postfix service: name=postfix state=reloaded - name: Compile Spamassassin rules - sudo_user: debian-spamd + become_user: debian-spamd # it might take a while... command: /usr/bin/sa-compile --quiet chdir=/var/lib/spamassassin/ - name: Restart Amavis service: name=amavis state=restarted - name: Copy SQL tables for spamassassin copy: src=tmp/spamassassin.sql dest=/tmp/spamassassin.sql owner=root group=root mode=0600 - name: Create SQL tables for spamassassin # see https://svn.apache.org/repos/asf/spamassassin/trunk/sql/ # for the original mysql_db: name=spamassassin state=import target=/tmp/spamassassin.sql encoding=latin1 collation=latin1_unicode_ci diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index c9686c9..883b6a8 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -62,41 +62,41 @@ - all - flagged - recent - unseen - name: Create directory /home/mail/spamspool file: path=/home/mail/spamspool state=directory owner=vmail group=vmail mode=0700 - name: Create directory /etc/dovecot/ssl file: path=/etc/dovecot/ssl state=directory owner=root group=root mode=0755 - name: Fetch Dovecot's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 register: r1 with_items: - conf.d/10-auth.conf - conf.d/10-logging.conf - conf.d/10-mail.conf - conf.d/10-master.conf - conf.d/10-ssl.conf - conf.d/15-mailboxes.conf diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml index 9ed2ea6..f9b25d1 100644 --- a/roles/IMAP/tasks/main.yml +++ b/roles/IMAP/tasks/main.yml @@ -1,4 +1,16 @@ --- -- include: imap.yml tags=imap,dovecot -- include: mda.yml tags=mda,mail,postfix -#- include: spam.yml tags=spam,spamassassin # TODO spam filter +- include: imap.yml + tags: + - imap + - dovecot +- include: mda.yml + tags: + - mda + - mail + - postfix +# TODO spam filter +#- include: spam.yml +# tags +# - spam +# - spamassassin +# diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml index 3f7f29f..ad6e7bb 100644 --- a/roles/LDAP-provider/tasks/main.yml +++ b/roles/LDAP-provider/tasks/main.yml @@ -1,15 +1,15 @@ - name: Load and configure the syncprov overlay openldap: module=syncprov suffix=dc=fripost,dc=org target=etc/ldap/syncprov.ldif local=file - name: Enable the EXTERNAL SASL mechanism lineinfile: dest=/usr/lib/sasl2/slapd.conf - regexp='^mech_list'':' - line=mech_list':'' EXTERNAL' + regexp='^mech_list{{':'}}' + line='mech_list{{':'}} EXTERNAL' create=yes owner=root group=root mode=0644 # TODO: authz constraint diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml index 499880f..4c0ceef 100644 --- a/roles/MSA/tasks/main.yml +++ b/roles/MSA/tasks/main.yml @@ -9,41 +9,41 @@ dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf owner=root group=root mode=0644 notify: - Reload Postfix - name: Copy the Regex to anonymize senders # no need to reload upon change, as cleanup(8) is short-running copy: src=etc/postfix/anonymize_sender.pcre dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre owner=root group=root mode=0644 - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False # `/usr/sbin/postmulti -i msa -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch: src=/etc/postfix/ssl/smtp.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} owner=root group=root state=link force=yes tags: - munin - munin-node notify: - Restart munin-node diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index 1b820e3..6ca11c0 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -63,41 +63,41 @@ postmap: instance={{ postfix_instance[inst].name }} src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb owner=root group=root mode=0644 notify: - Reload Postfix - name: Copy reserved-alias.pl copy: src=usr/local/bin/reserved-alias.pl dest=/usr/local/bin/reserved-alias.pl owner=root group=root mode=0755 - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch: src=/etc/postfix/ssl/mx.fripost.org.pem dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pem fail_on_missing=yes flat=yes tags: - genkey - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} owner=root group=root state=link force=yes tags: - munin - munin-node notify: - Restart munin-node diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml index cee6fc2..1dd0683 100644 --- a/roles/bacula-dir/tasks/main.yml +++ b/roles/bacula-dir/tasks/main.yml @@ -13,41 +13,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for Bacula Dir command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key --ou=BaculaDir --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Bacula Dir X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem dest=certs/bacula/ fail_on_missing=yes flat=yes tags: - genkey - name: Copy Bacula SD X.509 certificates copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem dest=/etc/stunnel/certs/ owner=root group=root mode=0644 with_items: groups['bacula-sd'] | difference([inventory_hostname]) | sort register: r2 notify: - Restart stunnel - name: Copy Bacula FD X.509 certificates copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-fd.pem dest=/etc/stunnel/certs/ diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml index 7a6c8c3..a888db6 100644 --- a/roles/bacula-sd/tasks/main.yml +++ b/roles/bacula-sd/tasks/main.yml @@ -13,41 +13,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for Bacula SD command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key --ou=BaculaSD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Bacula SD X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem dest=certs/bacula/ fail_on_missing=yes flat=yes tags: - genkey - name: Copy Bacula Dir/FD X.509 certificates assemble: src=certs/bacula regexp="-(dir|fd)\.pem$" remote_src=no dest=/etc/stunnel/certs/bacula-dir+fds.pem owner=root group=root mode=0644 register: r2 notify: - Restart stunnel - name: Configure stunnel template: src=etc/stunnel/bacula-sd.conf.j2 dest=/etc/stunnel/bacula-sd.conf owner=root group=root diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 5b7143f..960189b 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -39,41 +39,41 @@ command: genkeypair.sh x509 --pubkey=/etc/ldap/ssl/{{ item.name }}.pem --privkey=/etc/ldap/ssl/{{ item.name }}.key --ou=LDAP {{ item.ou }} --cn={{ item.name }} --usage=digitalSignature,keyEncipherment,keyCertSign -t rsa -b 4096 -h sha256 --owner=root --group=openldap --mode=0640 register: r2 changed_when: r2.rc == 0 failed_when: r2.rc > 1 with_items: - { group: 'LDAP-provider', name: ldap.fripost.org, ou: } - { group: 'MX', name: mx, ou: --ou=SyncRepl } - { group: 'lists', name: lists, ou: --ou=SyncRepl } when: "item.group in group_names" tags: - genkey - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/ldap/ssl/{{ item.name }}.pem dest=certs/ldap/ fail_on_missing=yes flat=yes with_items: - { group: 'LDAP-provider', name: ldap.fripost.org } - { group: 'MX', name: mx } - { group: 'lists', name: lists } when: "item.group in group_names" tags: - genkey - name: Copy the SyncProv's server certificate copy: src=certs/ldap/ldap.fripost.org.pem dest=/etc/ldap/ssl/ldap.fripost.org.pem owner=root group=root mode=0644 when: "'LDAP-provider' not in group_names" tags: - genkey diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml index 248d47d..91b37c8 100644 --- a/roles/common/tasks/bacula.yml +++ b/roles/common/tasks/bacula.yml @@ -13,41 +13,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for Bacula FD command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key --ou=BaculaFD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Bacula FD X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem dest=certs/bacula/ fail_on_missing=yes flat=yes tags: - genkey - name: Copy Bacula Dir X.509 certificates assemble: src=certs/bacula regexp="-dir\.pem$" remote_src=no dest=/etc/stunnel/certs/bacula-dirs.pem owner=root group=root mode=0644 register: r2 when: "'bacula-dir' not in group_names" notify: - Restart stunnel - name: Copy Bacula SD X.509 certificates copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem dest=/etc/stunnel/certs/ diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index c8e2495..273dc5c 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -51,52 +51,52 @@ mode=0755 tags: - genkey - name: Generate a private key and a X.509 certificate for Postfix command: genkeypair.sh x509 --pubkey=/etc/postfix/ssl/{{ ansible_fqdn }}.pem --privkey=/etc/postfix/ssl/{{ ansible_fqdn }}.key --ou=Postfix --cn={{ ansible_fqdn }} -t rsa -b 4096 -h sha512 register: r4 changed_when: r4.rc == 0 failed_when: r4.rc > 1 notify: - Restart Postfix tags: - genkey - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/postfix/ssl/{{ ansible_fqdn }}.pem dest=certs/postfix/ fail_on_missing=yes flat=yes tags: - genkey - name: Add a 'root' alias lineinfile: dest=/etc/aliases create=yes - regexp="^root:"" " - line="root:"" root@fripost.org" + regexp="^root{{':'}} " + line="root{{':'}} root@fripost.org" - name: Compile the static local Postfix database postmap: cmd=postalias src=/etc/aliases db=cdb owner=root group=root mode=0644 # We're using CDB - name: Delete /etc/aliases.db file: path=/etc/aliases.db state=absent - name: Copy the Postfix TLS policy map template: src=etc/postfix/tls_policy.j2 dest=/etc/postfix/tls_policy owner=root group=root mode=0644 when: "'out' not in group_names or 'MX' in group_names" tags: - tls_policy - name: Compile the Postfix TLS policy map diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 3b95c92..3e6a4a8 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,47 +1,74 @@ --- -- include: sysctl.yml tags=sysctl +- include: sysctl.yml + tags: sysctl - include: hosts.yml -- include: apt.yml tags=apt +- include: apt.yml + tags: apt - name: Install intel-microcode apt: pkg=intel-microcode when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" tags: intel -- include: firewall.yml tags=firewall,iptables -- include: samhain.yml tags=samhain -- include: auditd.yml tags=auditd -- include: rkhunter.yml tags=rkhunter -- include: clamav.yml tags=clamav -- include: fail2ban.yml tags=fail2ban -- include: smart.yml tags=smartmontools,smart +- include: firewall.yml + tags: + - firewall + - iptables +- include: samhain.yml + tags: samhain +- include: auditd.yml + tags: auditd +- include: rkhunter.yml + tags: rkhunter +- include: clamav.yml + tags: clamav +- include: fail2ban.yml + tags: fail2ban +- include: smart.yml + tags: + - smartmontools + - smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" -- include: haveged.yml tags=haveged,entropy +- include: haveged.yml + tags: + - haveged + - entropy - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 tags: genkey with_items: - genkeypair.sh - gendhparam.sh - name: Generate DH parameters command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem tags: genkey -- include: logging.yml tags=logging -- include: ntp.yml tags=ntp -- include: mail.yml tags=mail,postfix -- include: bacula.yml tags=bacula-fd,bacula -- include: munin-node.yml tags=munin-node,munin +- include: logging.yml + tags: logging +- include: ntp.yml + tags: ntp +- include: mail.yml + tags: + - mail + - postfix +- include: bacula.yml + tags: + - bacula-fd + - bacula +- include: munin-node.yml + tags: + - munin-node + - munin - name: Install common packages apt: pkg={{ item }} with_items: - ca-certificates - etckeeper - ethtool - git - htop - molly-guard - rsync - screen - telnet-ssl diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml index 9e5d8f4..c585d60 100644 --- a/roles/common/tasks/munin-node.yml +++ b/roles/common/tasks/munin-node.yml @@ -155,41 +155,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for munin-node command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Munin X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem dest=certs/munin/{{ inventory_hostname }}.pem fail_on_missing=yes flat=yes tags: - genkey - name: Copy munin-master X.509 certificates assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no dest=/etc/stunnel/certs/munin-master.pem owner=root group=root mode=0644 register: r2 when: "'munin-master' not in group_names" notify: - Restart stunnel - name: Configure stunnel template: src=etc/stunnel/munin-node.conf.j2 dest=/etc/stunnel/munin-node.conf diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index 6ac7feb..d3ae86f 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -1,21 +1,21 @@ -- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes +- sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes with_items: - { name: 'kernel.domainname', value: '{{ ansible_domain }}' } # Networking. See # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt # Enable Spoof protection (reverse-path filter). Turn on Source # Address Verification in all interfaces to prevent some spoofing # attacks. - { name: 'net.ipv4.conf.default.rp_filter', value: 1 } - { name: 'net.ipv4.conf.all.rp_filter', value: 1 } # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We # rate-limit not only the default ICMP types 3, 4, 11 and 12 # (0x1818), but also types 0 and 8. See icmp(7). - { name: 'net.ipv4.tcp_syncookies', value: 1 } - { name: 'net.ipv4.icmp_ratemask', value: 6425 } - { name: 'net.ipv4.icmp_ratelimit', value: 1000 } # Disable paquet forwarding between interfaces (we are not a router). diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 7237aa9..cebcec8 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -81,27 +81,27 @@ notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/git file: src=../sites-available/git dest=/etc/nginx/sites-enabled/git owner=root group=root state=link force=yes register: r2 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/git.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey diff --git a/roles/git/tasks/gitolite.yml b/roles/git/tasks/gitolite.yml index 5cbce23..90b3015 100644 --- a/roles/git/tasks/gitolite.yml +++ b/roles/git/tasks/gitolite.yml @@ -9,28 +9,28 @@ password=* state=present - name: Create directory ~gitolite/.ssh file: path=/var/lib/gitolite/.ssh state=directory owner=gitolite group=gitolite mode=0700 - name: Create /var/lib/gitolite/projects.list file: path=/var/lib/gitolite/projects.list owner=gitolite group=gitolite mode=0644 # See /usr/share/doc/gitolite3/README.txt.gz for gitolite initiation or # migration. # sudo -u gitolite gitolite setup -pk /path/to/id_rsa - name: Configure gitolite lineinfile: dest=/var/lib/gitolite/.gitolite.rc - "regexp=^(\\s*{{ item.var }}\\s*=>\\s*)" - "line= {{ item.var }} => {{ item.value }}," + regexp='^(\\s*{{ item.var }}\\s*=>\\s*)' + line=' {{ item.var }} => {{ item.value }},' owner=root group=root mode=0644 with_items: # See /usr/share/doc/gitolite3/README.txt.gz - { var: UMASK, value: "0027" } - { var: GIT_CONFIG_KEYS, value: "'gitweb\\..* gc\\..*'" } diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index da9f876..e24402a 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -1,2 +1,4 @@ -- include: gitolite.yml tags=gitolite -- include: cgit.yml tags=cgit +- include: gitolite.yml + tags: gitolite +- include: cgit.yml + tags: cgit diff --git a/roles/lists/tasks/main.yml b/roles/lists/tasks/main.yml index f0e8e26..b43c948 100644 --- a/roles/lists/tasks/main.yml +++ b/roles/lists/tasks/main.yml @@ -1,3 +1,13 @@ -- include: mail.yml tags=postfix,mail -- include: nginx.yml tags=nginx,www,web -- include: sympa.yml tags=sympa,lists +- include: mail.yml + tags: + - postfix + - mail +- include: nginx.yml + tags: + - nginx + - www + - web +- include: sympa.yml + tags: + - sympa + - lists diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index 21e769a..34d42bd 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -10,27 +10,27 @@ notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/sympa file: src=../sites-available/sympa dest=/etc/nginx/sites-enabled/sympa owner=root group=root state=link register: r2 notify: - Restart Nginx - name: Start nginx service: name=nginx state=started when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/lists.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml index 030a547..8ee50bd 100644 --- a/roles/webmail/tasks/main.yml +++ b/roles/webmail/tasks/main.yml @@ -1,3 +1,9 @@ -- include: mail.yml tags=postfix,mail +- include: mail.yml when: "'out' not in group_names" -- include: roundcube.yml tags=roundcube,webmail + tags: + - postfix + - mail +- include: roundcube.yml + tags: + - roundcube + - webmail diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 3eaf766..eb04ba1 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -23,42 +23,42 @@ apt: pkg={{ item }} default_release={{ ansible_lsb.codename }}-backports with_items: - roundcube-core - roundcube-mysql - roundcube-plugins - php-net-sieve - php-net-ldap3 - php-mail-mimedecode - name: Copy fripost's logo copy: src=usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png dest=/usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png owner=root group=root mode=0644 with_items: - classic - larry - name: Configure Roundcube lineinfile: dest=/etc/roundcube/config.inc.php - "regexp=^\\s*\\$config\\['{{ item.var }}'\\]\\s*=" - "line=$config['{{ item.var }}'] = {{ item.value }};" + regexp='^\\s*\\$config\\[\'{{ item.var }}\'\\]\\s*=' + line='$config[\'{{ item.var }}\'] = {{ item.value }};' owner=root group=www-data mode=0640 with_items: # Logging/Debugging - { var: smtp_log, value: "false" } # IMAP - { var: default_host, value: "'localhost'" } - { var: default_port, value: "143" } - { var: imap_auth_type, value: "'PLAIN'" } - { var: imap_cache, value: "null" } - { var: imap_timeout, value: "180" } - { var: messages_cache, value: "false" } # SMTP - { var: smtp_server, value: "'localhost'" } - { var: smtp_port, value: "2525" } # System - { var: force_https, value: "true" } - { var: login_autocomplete, value: "2" } - { var: skin_logo, value: "'/images/fripost_logo.png'" } - { var: username_domain, value: "'fripost.org'" } @@ -112,27 +112,27 @@ notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/roundcube file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root state=link force=yes register: r2 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/mail.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey diff --git a/roles/wiki/handlers/main.yml b/roles/wiki/handlers/main.yml index 42ae6ef..109c63d 100644 --- a/roles/wiki/handlers/main.yml +++ b/roles/wiki/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Restart Nginx service: name=nginx state=restarted - name: Refresh ikiwiki - sudo_user: ikiwiki + become_user: ikiwiki command: ikiwiki --setup /var/lib/ikiwiki/fripost-wiki.setup --refresh --wrappers diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml index 763f99a..9748768 100644 --- a/roles/wiki/tasks/main.yml +++ b/roles/wiki/tasks/main.yml @@ -42,77 +42,77 @@ # /var/lib/ikiwiki/fripost-wiki.setup # To create a new wiki: # $ /usr/bin/sudo -u ikiwiki git config --global user.name "Fripost Admins" # $ /usr/bin/sudo -u ikiwiki git config --global user.email "admin@fripost.org" # $ /usr/bin/sudo -u ikiwiki ikiwiki --setup /etc/ikiwiki/auto.setup # ## Add ikiwiki's key to gitolite # sudo ln -s /var/lib/ikiwiki/wiki.fripost.org /var/lib/gitolite/repositories/fripost-wiki.git/hooks/post-update # $ /usr/bin/sudo -u ikiwiki git clone ssh://gitolite@localhost/fripost-wiki.git - name: Configure ikiwiki copy: src=var/lib/ikiwiki/fripost-wiki.setup dest=/var/lib/ikiwiki/fripost-wiki.setup owner=root group=root mode=0644 notify: - Refresh ikiwiki - name: Add fripost-wiki to /etc/ikiwiki/wikilist lineinfile: dest=/etc/ikiwiki/wikilist - "line=ikiwiki /var/lib/ikiwiki/fripost-wiki.setup" + line='ikiwiki /var/lib/ikiwiki/fripost-wiki.setup' owner=root group=root mode=0644 - meta: flush_handlers - name: Copy /etc/nginx/sites-available/{wiki,website} copy: src=etc/nginx/sites-available/{{ item }} dest=/etc/nginx/sites-available/{{ item }} owner=root group=root mode=0644 register: r1 with_items: - website - wiki notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/{wiki,website} file: src=../sites-available/{{ item }} dest=/etc/nginx/sites-enabled/{{ item }} owner=root group=root state=link force=yes register: r2 with_items: - website - wiki notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/www.fripost.org.pem dest=certs/public/fripost.org.pem fail_on_missing=yes flat=yes tags: - genkey - name: Create directory /var/www/fripost.org/autoconfig/mail file: path=/var/www/fripost.org/autoconfig/mail state=directory owner=root group=root mode=0755 - name: Copy /var/www/fripost.org/autoconfig/mail/config-v1.1.xml copy: src=var/www/fripost.org/autoconfig/mail/config-v1.1.xml dest=/var/www/fripost.org/autoconfig/mail/config-v1.1.xml owner=root group=root mode=0644 |