diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-02-12 15:25:31 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-02-12 20:06:22 +0100 |
| commit | fa8d2b668550259e6f78d16fc209c4da1a20b842 (patch) | |
| tree | cfa56bc2941f14626cbecf7e785d6c3a9c000e0d /roles | |
| parent | ce731cb119b501b2de58473c6fb0d205d772c004 (diff) | |
Upgrade playbooks to Ansible 2.0.
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/IMAP/handlers/main.yml | 2 | ||||
| -rw-r--r-- | roles/IMAP/tasks/imap.yml | 2 | ||||
| -rw-r--r-- | roles/IMAP/tasks/main.yml | 18 | ||||
| -rw-r--r-- | roles/LDAP-provider/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/MSA/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/MX/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/bacula-dir/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/bacula-sd/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/common-LDAP/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/bacula.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/mail.yml | 6 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 57 | ||||
| -rw-r--r-- | roles/common/tasks/munin-node.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/sysctl.yml | 2 | ||||
| -rw-r--r-- | roles/git/tasks/cgit.yml | 2 | ||||
| -rw-r--r-- | roles/git/tasks/gitolite.yml | 4 | ||||
| -rw-r--r-- | roles/git/tasks/main.yml | 6 | ||||
| -rw-r--r-- | roles/lists/tasks/main.yml | 16 | ||||
| -rw-r--r-- | roles/lists/tasks/nginx.yml | 2 | ||||
| -rw-r--r-- | roles/webmail/tasks/main.yml | 10 | ||||
| -rw-r--r-- | roles/webmail/tasks/roundcube.yml | 6 | ||||
| -rw-r--r-- | roles/wiki/handlers/main.yml | 2 | ||||
| -rw-r--r-- | roles/wiki/tasks/main.yml | 4 |
23 files changed, 107 insertions, 50 deletions
diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml index 10a717d..2c49611 100644 --- a/roles/IMAP/handlers/main.yml +++ b/roles/IMAP/handlers/main.yml @@ -1,29 +1,29 @@ --- - name: Restart Dovecot service: name=dovecot state=restarted - name: Reload Postfix service: name=postfix state=reloaded - name: Compile Spamassassin rules - sudo_user: debian-spamd + become_user: debian-spamd # it might take a while... command: /usr/bin/sa-compile --quiet chdir=/var/lib/spamassassin/ - name: Restart Amavis service: name=amavis state=restarted - name: Copy SQL tables for spamassassin copy: src=tmp/spamassassin.sql dest=/tmp/spamassassin.sql owner=root group=root mode=0600 - name: Create SQL tables for spamassassin # see https://svn.apache.org/repos/asf/spamassassin/trunk/sql/ # for the original mysql_db: name=spamassassin state=import target=/tmp/spamassassin.sql encoding=latin1 collation=latin1_unicode_ci diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index c9686c9..883b6a8 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -62,41 +62,41 @@ - all - flagged - recent - unseen - name: Create directory /home/mail/spamspool file: path=/home/mail/spamspool state=directory owner=vmail group=vmail mode=0700 - name: Create directory /etc/dovecot/ssl file: path=/etc/dovecot/ssl state=directory owner=root group=root mode=0755 - name: Fetch Dovecot's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 register: r1 with_items: - conf.d/10-auth.conf - conf.d/10-logging.conf - conf.d/10-mail.conf - conf.d/10-master.conf - conf.d/10-ssl.conf - conf.d/15-mailboxes.conf diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml index 9ed2ea6..f9b25d1 100644 --- a/roles/IMAP/tasks/main.yml +++ b/roles/IMAP/tasks/main.yml @@ -1,4 +1,16 @@ --- -- include: imap.yml tags=imap,dovecot -- include: mda.yml tags=mda,mail,postfix -#- include: spam.yml tags=spam,spamassassin # TODO spam filter +- include: imap.yml + tags: + - imap + - dovecot +- include: mda.yml + tags: + - mda + - mail + - postfix +# TODO spam filter +#- include: spam.yml +# tags +# - spam +# - spamassassin +# diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml index 3f7f29f..ad6e7bb 100644 --- a/roles/LDAP-provider/tasks/main.yml +++ b/roles/LDAP-provider/tasks/main.yml @@ -1,15 +1,15 @@ - name: Load and configure the syncprov overlay openldap: module=syncprov suffix=dc=fripost,dc=org target=etc/ldap/syncprov.ldif local=file - name: Enable the EXTERNAL SASL mechanism lineinfile: dest=/usr/lib/sasl2/slapd.conf - regexp='^mech_list'':' - line=mech_list':'' EXTERNAL' + regexp='^mech_list{{':'}}' + line='mech_list{{':'}} EXTERNAL' create=yes owner=root group=root mode=0644 # TODO: authz constraint diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml index 499880f..4c0ceef 100644 --- a/roles/MSA/tasks/main.yml +++ b/roles/MSA/tasks/main.yml @@ -9,41 +9,41 @@ dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf owner=root group=root mode=0644 notify: - Reload Postfix - name: Copy the Regex to anonymize senders # no need to reload upon change, as cleanup(8) is short-running copy: src=etc/postfix/anonymize_sender.pcre dest=/etc/postfix-{{ postfix_instance[inst].name }}/anonymize_sender.pcre owner=root group=root mode=0644 - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False # `/usr/sbin/postmulti -i msa -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch: src=/etc/postfix/ssl/smtp.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} owner=root group=root state=link force=yes tags: - munin - munin-node notify: - Restart munin-node diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index 1b820e3..6ca11c0 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -63,41 +63,41 @@ postmap: instance={{ postfix_instance[inst].name }} src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/transport db=cdb owner=root group=root mode=0644 notify: - Reload Postfix - name: Copy reserved-alias.pl copy: src=usr/local/bin/reserved-alias.pl dest=/usr/local/bin/reserved-alias.pl owner=root group=root mode=0755 - meta: flush_handlers - name: Start Postfix service: name=postfix state=started - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch: src=/etc/postfix/ssl/mx.fripost.org.pem dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pem fail_on_missing=yes flat=yes tags: - genkey - name: Install 'postfix_mailqueue_' Munin wildcard plugin file: src=/usr/local/share/munin/plugins/postfix_mailqueue_ dest=/etc/munin/plugins/postfix_mailqueue_postfix-{{ postfix_instance[inst].name }} owner=root group=root state=link force=yes tags: - munin - munin-node notify: - Restart munin-node diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml index cee6fc2..1dd0683 100644 --- a/roles/bacula-dir/tasks/main.yml +++ b/roles/bacula-dir/tasks/main.yml @@ -13,41 +13,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for Bacula Dir command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key --ou=BaculaDir --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Bacula Dir X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem dest=certs/bacula/ fail_on_missing=yes flat=yes tags: - genkey - name: Copy Bacula SD X.509 certificates copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem dest=/etc/stunnel/certs/ owner=root group=root mode=0644 with_items: groups['bacula-sd'] | difference([inventory_hostname]) | sort register: r2 notify: - Restart stunnel - name: Copy Bacula FD X.509 certificates copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-fd.pem dest=/etc/stunnel/certs/ diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml index 7a6c8c3..a888db6 100644 --- a/roles/bacula-sd/tasks/main.yml +++ b/roles/bacula-sd/tasks/main.yml @@ -13,41 +13,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for Bacula SD command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key --ou=BaculaSD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Bacula SD X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem dest=certs/bacula/ fail_on_missing=yes flat=yes tags: - genkey - name: Copy Bacula Dir/FD X.509 certificates assemble: src=certs/bacula regexp="-(dir|fd)\.pem$" remote_src=no dest=/etc/stunnel/certs/bacula-dir+fds.pem owner=root group=root mode=0644 register: r2 notify: - Restart stunnel - name: Configure stunnel template: src=etc/stunnel/bacula-sd.conf.j2 dest=/etc/stunnel/bacula-sd.conf owner=root group=root diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 5b7143f..960189b 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -39,41 +39,41 @@ command: genkeypair.sh x509 --pubkey=/etc/ldap/ssl/{{ item.name }}.pem --privkey=/etc/ldap/ssl/{{ item.name }}.key --ou=LDAP {{ item.ou }} --cn={{ item.name }} --usage=digitalSignature,keyEncipherment,keyCertSign -t rsa -b 4096 -h sha256 --owner=root --group=openldap --mode=0640 register: r2 changed_when: r2.rc == 0 failed_when: r2.rc > 1 with_items: - { group: 'LDAP-provider', name: ldap.fripost.org, ou: } - { group: 'MX', name: mx, ou: --ou=SyncRepl } - { group: 'lists', name: lists, ou: --ou=SyncRepl } when: "item.group in group_names" tags: - genkey - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/ldap/ssl/{{ item.name }}.pem dest=certs/ldap/ fail_on_missing=yes flat=yes with_items: - { group: 'LDAP-provider', name: ldap.fripost.org } - { group: 'MX', name: mx } - { group: 'lists', name: lists } when: "item.group in group_names" tags: - genkey - name: Copy the SyncProv's server certificate copy: src=certs/ldap/ldap.fripost.org.pem dest=/etc/ldap/ssl/ldap.fripost.org.pem owner=root group=root mode=0644 when: "'LDAP-provider' not in group_names" tags: - genkey diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml index 248d47d..91b37c8 100644 --- a/roles/common/tasks/bacula.yml +++ b/roles/common/tasks/bacula.yml @@ -13,41 +13,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for Bacula FD command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem --privkey=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key --ou=BaculaFD --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Bacula FD X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem dest=certs/bacula/ fail_on_missing=yes flat=yes tags: - genkey - name: Copy Bacula Dir X.509 certificates assemble: src=certs/bacula regexp="-dir\.pem$" remote_src=no dest=/etc/stunnel/certs/bacula-dirs.pem owner=root group=root mode=0644 register: r2 when: "'bacula-dir' not in group_names" notify: - Restart stunnel - name: Copy Bacula SD X.509 certificates copy: src=certs/bacula/{{ hostvars[item].inventory_hostname_short }}-sd.pem dest=/etc/stunnel/certs/ diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index c8e2495..273dc5c 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -51,52 +51,52 @@ mode=0755 tags: - genkey - name: Generate a private key and a X.509 certificate for Postfix command: genkeypair.sh x509 --pubkey=/etc/postfix/ssl/{{ ansible_fqdn }}.pem --privkey=/etc/postfix/ssl/{{ ansible_fqdn }}.key --ou=Postfix --cn={{ ansible_fqdn }} -t rsa -b 4096 -h sha512 register: r4 changed_when: r4.rc == 0 failed_when: r4.rc > 1 notify: - Restart Postfix tags: - genkey - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/postfix/ssl/{{ ansible_fqdn }}.pem dest=certs/postfix/ fail_on_missing=yes flat=yes tags: - genkey - name: Add a 'root' alias lineinfile: dest=/etc/aliases create=yes - regexp="^root:"" " - line="root:"" root@fripost.org" + regexp="^root{{':'}} " + line="root{{':'}} root@fripost.org" - name: Compile the static local Postfix database postmap: cmd=postalias src=/etc/aliases db=cdb owner=root group=root mode=0644 # We're using CDB - name: Delete /etc/aliases.db file: path=/etc/aliases.db state=absent - name: Copy the Postfix TLS policy map template: src=etc/postfix/tls_policy.j2 dest=/etc/postfix/tls_policy owner=root group=root mode=0644 when: "'out' not in group_names or 'MX' in group_names" tags: - tls_policy - name: Compile the Postfix TLS policy map diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 3b95c92..3e6a4a8 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,47 +1,74 @@ --- -- include: sysctl.yml tags=sysctl +- include: sysctl.yml + tags: sysctl - include: hosts.yml -- include: apt.yml tags=apt +- include: apt.yml + tags: apt - name: Install intel-microcode apt: pkg=intel-microcode when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" tags: intel -- include: firewall.yml tags=firewall,iptables -- include: samhain.yml tags=samhain -- include: auditd.yml tags=auditd -- include: rkhunter.yml tags=rkhunter -- include: clamav.yml tags=clamav -- include: fail2ban.yml tags=fail2ban -- include: smart.yml tags=smartmontools,smart +- include: firewall.yml + tags: + - firewall + - iptables +- include: samhain.yml + tags: samhain +- include: auditd.yml + tags: auditd +- include: rkhunter.yml + tags: rkhunter +- include: clamav.yml + tags: clamav +- include: fail2ban.yml + tags: fail2ban +- include: smart.yml + tags: + - smartmontools + - smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" -- include: haveged.yml tags=haveged,entropy +- include: haveged.yml + tags: + - haveged + - entropy - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 tags: genkey with_items: - genkeypair.sh - gendhparam.sh - name: Generate DH parameters command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem tags: genkey -- include: logging.yml tags=logging -- include: ntp.yml tags=ntp -- include: mail.yml tags=mail,postfix -- include: bacula.yml tags=bacula-fd,bacula -- include: munin-node.yml tags=munin-node,munin +- include: logging.yml + tags: logging +- include: ntp.yml + tags: ntp +- include: mail.yml + tags: + - mail + - postfix +- include: bacula.yml + tags: + - bacula-fd + - bacula +- include: munin-node.yml + tags: + - munin-node + - munin - name: Install common packages apt: pkg={{ item }} with_items: - ca-certificates - etckeeper - ethtool - git - htop - molly-guard - rsync - screen - telnet-ssl diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml index 9e5d8f4..c585d60 100644 --- a/roles/common/tasks/munin-node.yml +++ b/roles/common/tasks/munin-node.yml @@ -155,41 +155,41 @@ state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for munin-node command: genkeypair.sh x509 --pubkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem --privkey=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key --ou=Munin --cn={{ inventory_hostname }} --dns={{ inventory_hostname }} -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart stunnel tags: - genkey - name: Fetch Munin X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem dest=certs/munin/{{ inventory_hostname }}.pem fail_on_missing=yes flat=yes tags: - genkey - name: Copy munin-master X.509 certificates assemble: src=certs/munin regexp="{{ groups['munin-master'] | join('|') }}\.pem$" remote_src=no dest=/etc/stunnel/certs/munin-master.pem owner=root group=root mode=0644 register: r2 when: "'munin-master' not in group_names" notify: - Restart stunnel - name: Configure stunnel template: src=etc/stunnel/munin-node.conf.j2 dest=/etc/stunnel/munin-node.conf diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index 6ac7feb..d3ae86f 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -1,21 +1,21 @@ -- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes +- sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes with_items: - { name: 'kernel.domainname', value: '{{ ansible_domain }}' } # Networking. See # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt # Enable Spoof protection (reverse-path filter). Turn on Source # Address Verification in all interfaces to prevent some spoofing # attacks. - { name: 'net.ipv4.conf.default.rp_filter', value: 1 } - { name: 'net.ipv4.conf.all.rp_filter', value: 1 } # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We # rate-limit not only the default ICMP types 3, 4, 11 and 12 # (0x1818), but also types 0 and 8. See icmp(7). - { name: 'net.ipv4.tcp_syncookies', value: 1 } - { name: 'net.ipv4.icmp_ratemask', value: 6425 } - { name: 'net.ipv4.icmp_ratelimit', value: 1000 } # Disable paquet forwarding between interfaces (we are not a router). diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 7237aa9..cebcec8 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -81,27 +81,27 @@ notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/git file: src=../sites-available/git dest=/etc/nginx/sites-enabled/git owner=root group=root state=link force=yes register: r2 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/git.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey diff --git a/roles/git/tasks/gitolite.yml b/roles/git/tasks/gitolite.yml index 5cbce23..90b3015 100644 --- a/roles/git/tasks/gitolite.yml +++ b/roles/git/tasks/gitolite.yml @@ -9,28 +9,28 @@ password=* state=present - name: Create directory ~gitolite/.ssh file: path=/var/lib/gitolite/.ssh state=directory owner=gitolite group=gitolite mode=0700 - name: Create /var/lib/gitolite/projects.list file: path=/var/lib/gitolite/projects.list owner=gitolite group=gitolite mode=0644 # See /usr/share/doc/gitolite3/README.txt.gz for gitolite initiation or # migration. # sudo -u gitolite gitolite setup -pk /path/to/id_rsa - name: Configure gitolite lineinfile: dest=/var/lib/gitolite/.gitolite.rc - "regexp=^(\\s*{{ item.var }}\\s*=>\\s*)" - "line= {{ item.var }} => {{ item.value }}," + regexp='^(\\s*{{ item.var }}\\s*=>\\s*)' + line=' {{ item.var }} => {{ item.value }},' owner=root group=root mode=0644 with_items: # See /usr/share/doc/gitolite3/README.txt.gz - { var: UMASK, value: "0027" } - { var: GIT_CONFIG_KEYS, value: "'gitweb\\..* gc\\..*'" } diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index da9f876..e24402a 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -1,2 +1,4 @@ -- include: gitolite.yml tags=gitolite -- include: cgit.yml tags=cgit +- include: gitolite.yml + tags: gitolite +- include: cgit.yml + tags: cgit diff --git a/roles/lists/tasks/main.yml b/roles/lists/tasks/main.yml index f0e8e26..b43c948 100644 --- a/roles/lists/tasks/main.yml +++ b/roles/lists/tasks/main.yml @@ -1,3 +1,13 @@ -- include: mail.yml tags=postfix,mail -- include: nginx.yml tags=nginx,www,web -- include: sympa.yml tags=sympa,lists +- include: mail.yml + tags: + - postfix + - mail +- include: nginx.yml + tags: + - nginx + - www + - web +- include: sympa.yml + tags: + - sympa + - lists diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index 21e769a..34d42bd 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -10,27 +10,27 @@ notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/sympa file: src=../sites-available/sympa dest=/etc/nginx/sites-enabled/sympa owner=root group=root state=link register: r2 notify: - Restart Nginx - name: Start nginx service: name=nginx state=started when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/lists.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml index 030a547..8ee50bd 100644 --- a/roles/webmail/tasks/main.yml +++ b/roles/webmail/tasks/main.yml @@ -1,3 +1,9 @@ -- include: mail.yml tags=postfix,mail +- include: mail.yml when: "'out' not in group_names" -- include: roundcube.yml tags=roundcube,webmail + tags: + - postfix + - mail +- include: roundcube.yml + tags: + - roundcube + - webmail diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 3eaf766..eb04ba1 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -23,42 +23,42 @@ apt: pkg={{ item }} default_release={{ ansible_lsb.codename }}-backports with_items: - roundcube-core - roundcube-mysql - roundcube-plugins - php-net-sieve - php-net-ldap3 - php-mail-mimedecode - name: Copy fripost's logo copy: src=usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png dest=/usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png owner=root group=root mode=0644 with_items: - classic - larry - name: Configure Roundcube lineinfile: dest=/etc/roundcube/config.inc.php - "regexp=^\\s*\\$config\\['{{ item.var }}'\\]\\s*=" - "line=$config['{{ item.var }}'] = {{ item.value }};" + regexp='^\\s*\\$config\\[\'{{ item.var }}\'\\]\\s*=' + line='$config[\'{{ item.var }}\'] = {{ item.value }};' owner=root group=www-data mode=0640 with_items: # Logging/Debugging - { var: smtp_log, value: "false" } # IMAP - { var: default_host, value: "'localhost'" } - { var: default_port, value: "143" } - { var: imap_auth_type, value: "'PLAIN'" } - { var: imap_cache, value: "null" } - { var: imap_timeout, value: "180" } - { var: messages_cache, value: "false" } # SMTP - { var: smtp_server, value: "'localhost'" } - { var: smtp_port, value: "2525" } # System - { var: force_https, value: "true" } - { var: login_autocomplete, value: "2" } - { var: skin_logo, value: "'/images/fripost_logo.png'" } - { var: username_domain, value: "'fripost.org'" } @@ -112,27 +112,27 @@ notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/roundcube file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root state=link force=yes register: r2 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/mail.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey diff --git a/roles/wiki/handlers/main.yml b/roles/wiki/handlers/main.yml index 42ae6ef..109c63d 100644 --- a/roles/wiki/handlers/main.yml +++ b/roles/wiki/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Restart Nginx service: name=nginx state=restarted - name: Refresh ikiwiki - sudo_user: ikiwiki + become_user: ikiwiki command: ikiwiki --setup /var/lib/ikiwiki/fripost-wiki.setup --refresh --wrappers diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml index 763f99a..9748768 100644 --- a/roles/wiki/tasks/main.yml +++ b/roles/wiki/tasks/main.yml @@ -42,77 +42,77 @@ # /var/lib/ikiwiki/fripost-wiki.setup # To create a new wiki: # $ /usr/bin/sudo -u ikiwiki git config --global user.name "Fripost Admins" # $ /usr/bin/sudo -u ikiwiki git config --global user.email "admin@fripost.org" # $ /usr/bin/sudo -u ikiwiki ikiwiki --setup /etc/ikiwiki/auto.setup # ## Add ikiwiki's key to gitolite # sudo ln -s /var/lib/ikiwiki/wiki.fripost.org /var/lib/gitolite/repositories/fripost-wiki.git/hooks/post-update # $ /usr/bin/sudo -u ikiwiki git clone ssh://gitolite@localhost/fripost-wiki.git - name: Configure ikiwiki copy: src=var/lib/ikiwiki/fripost-wiki.setup dest=/var/lib/ikiwiki/fripost-wiki.setup owner=root group=root mode=0644 notify: - Refresh ikiwiki - name: Add fripost-wiki to /etc/ikiwiki/wikilist lineinfile: dest=/etc/ikiwiki/wikilist - "line=ikiwiki /var/lib/ikiwiki/fripost-wiki.setup" + line='ikiwiki /var/lib/ikiwiki/fripost-wiki.setup' owner=root group=root mode=0644 - meta: flush_handlers - name: Copy /etc/nginx/sites-available/{wiki,website} copy: src=etc/nginx/sites-available/{{ item }} dest=/etc/nginx/sites-available/{{ item }} owner=root group=root mode=0644 register: r1 with_items: - website - wiki notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/{wiki,website} file: src=../sites-available/{{ item }} dest=/etc/nginx/sites-enabled/{{ item }} owner=root group=root state=link force=yes register: r2 with_items: - website - wiki notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/www.fripost.org.pem dest=certs/public/fripost.org.pem fail_on_missing=yes flat=yes tags: - genkey - name: Create directory /var/www/fripost.org/autoconfig/mail file: path=/var/www/fripost.org/autoconfig/mail state=directory owner=root group=root mode=0755 - name: Copy /var/www/fripost.org/autoconfig/mail/config-v1.1.xml copy: src=var/www/fripost.org/autoconfig/mail/config-v1.1.xml dest=/var/www/fripost.org/autoconfig/mail/config-v1.1.xml owner=root group=root mode=0644 |