From fa8d2b668550259e6f78d16fc209c4da1a20b842 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2016 15:25:31 +0100 Subject: Upgrade playbooks to Ansible 2.0. --- ansible.cfg | 116 +++++++++---------------------------- lib/action_plugins/openldap.py | 86 +++++++++++---------------- roles/IMAP/handlers/main.yml | 2 +- roles/IMAP/tasks/imap.yml | 2 +- roles/IMAP/tasks/main.yml | 18 +++++- roles/LDAP-provider/tasks/main.yml | 4 +- roles/MSA/tasks/main.yml | 2 +- roles/MX/tasks/main.yml | 2 +- roles/bacula-dir/tasks/main.yml | 2 +- roles/bacula-sd/tasks/main.yml | 2 +- roles/common-LDAP/tasks/main.yml | 2 +- roles/common/tasks/bacula.yml | 2 +- roles/common/tasks/mail.yml | 6 +- roles/common/tasks/main.yml | 57 +++++++++++++----- roles/common/tasks/munin-node.yml | 2 +- roles/common/tasks/sysctl.yml | 2 +- roles/git/tasks/cgit.yml | 2 +- roles/git/tasks/gitolite.yml | 4 +- roles/git/tasks/main.yml | 6 +- roles/lists/tasks/main.yml | 16 ++++- roles/lists/tasks/nginx.yml | 2 +- roles/webmail/tasks/main.yml | 10 +++- roles/webmail/tasks/roundcube.yml | 6 +- roles/wiki/handlers/main.yml | 2 +- roles/wiki/tasks/main.yml | 4 +- 25 files changed, 168 insertions(+), 191 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index 3810727..2de77ef 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,105 +3,43 @@ # ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first [defaults] - -# location of inventory file, eliminates need to specify -i - -#hostfile = ./stage_vms - -# location of ansible library, eliminates need to specify --module-path - -library = ./lib/modules:/usr/share/ansible - -# default module name used in /usr/bin/ansible when -m is not specified - -module_name = command - -# home directory where temp files are stored on remote systems. Should -# almost always contain $HOME or be a directory writeable by all users - -remote_tmp = $HOME/.ansible/tmp - -# the default pattern for ansible-playbooks ("hosts:") - -pattern = * - -# the default number of forks (parallelism) to be used. Usually you -# can crank this up. - -forks = 5 - -# the timeout used by various connection types. Usually this corresponds -# to an SSH timeout - -timeout = 10 - -# when using --poll or "poll:" in an ansible playbook, and not specifying -# an explicit poll interval, use this interval - -poll_interval = 15 - -# when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook, -# and not specifying "--sudo-user" or "sudo_user" respectively, sudo -# to this user account - -sudo = True -#sudo_user = root - -# what flags to pass to sudo -sudo_flags = -H LC_ALL=C - -# the following forces ansible to always ask for the sudo password (instead of having -# to add -K to the commandline). Or you can use the environment variable (ANSIBLE_ASK_SUDO_PASS) - -ask_sudo_pass = True - -# the following forces ansible to always ask for the ssh-password (-k) -# can also be set by the environment variable ANSIBLE_ASK_PASS - -#ask_pass = True - -# connection to use when -c is not specified - -transport = ssh - -# remote SSH port to be used when --port or "port:" or an equivalent inventory -# variable is not specified. - -remote_port = 22 - -# if set, always run /usr/bin/ansible commands as this user, and assume this value -# if "user:" is not set in a playbook. If not set, use the current Unix user -# as the default - -#remote_user = root - -# if set, always use this private key file for authentication, same as if passing -# --private-key to ansible or ansible-playbook - -#private_key_file=/path/to/file - -# format of string $ansible_managed available within Jinja2 templates, replacing -# {file}, {host} and {uid} with template filename, host and owner respectively. -# The resulting string is passed through strftime(3) so it may contain any -# time-formatting specifiers. -# -# Example: ansible_managed = DONT TOUCH {file}: call {uid} at {host} for changes +library = ./lib/modules:/usr/share/ansible +remote_tmp = $HOME/.ansible/tmp +forks = 5 +poll_interval = 15 +transport = ssh +remote_port = 22 +module_lang = C +timeout = 10 + +# format of string {{ ansible_managed }} available within Jinja2 +# templates indicates to users editing templates files will be replaced. +# replacing {file}, {host} and {uid} and strftime codes with proper values. ansible_managed = Ansible Managed: modified on %Y-%m-%d %H:%M:%S by {uid}@{host} # additional plugin paths for non-core plugins - action_plugins = ./lib/action_plugins callback_plugins = ./lib/callback_plugins connection_plugins = ./lib/connection_plugins lookup_plugins = ./lib/lookup_plugins vars_plugins = ./lib/vars_plugins -[ssh_connection] +# retry files +# When a playbook fails by default a .retry file will be created in ~/ +# You can disable this feature by setting retry_files_enabled to False +# and you can change the location of the files by setting retry_files_save_path +retry_files_enabled = False +#retry_files_save_path = ~/.ansible-retry + -# if uncommented, sets the ansible ssh arguments to the following. Leaving off ControlPersist -# will result in poor performance, so use transport=paramiko on older platforms rather than -# removing it +[privilege_escalation] +become=True +become_method=sudo +#become_user=root +become_ask_pass=True -control_path = /run/shm/ansible-ssh-%%C + +[ssh_connection] +control_path = ~/.ssh/S.ansible-%%C ssh_args = -oHashKnownHosts=no -oUserKnownHostsFile=./certs/ssh_known_hosts -oStrictHostKeyChecking=yes -oControlMaster=auto -oControlPersist=60s pipelining = True diff --git a/lib/action_plugins/openldap.py b/lib/action_plugins/openldap.py index 5dbf59f..a66c3aa 100644 --- a/lib/action_plugins/openldap.py +++ b/lib/action_plugins/openldap.py @@ -14,73 +14,55 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -import os -import pipes -import tempfile +from ansible.plugins.action import ActionBase +from ansible.utils.unicode import to_bytes, to_unicode -from ansible.utils import template -from ansible import utils -from ansible.runner.return_data import ReturnData - -class ActionModule(object): +class ActionModule(ActionBase): TRANSFERS_FILES = True - def __init__(self, runner): - self.runner = runner - - def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): - ''' handler for file transfer operations ''' + def run(self, tmp=None, task_vars=None): + if task_vars is None: + task_vars = dict() - if self.runner.noop_on_check(inject): - return ReturnData(conn=conn, comm_ok=True, result=dict(skipped=True)) + if self._play_context.check_mode: + return dict(skipped=True, msg='check mode not supported for this module') - # load up options - options = {} - if complex_args: - options.update(complex_args) - options.update(utils.parse_kv(module_args)) + result = super(ActionModule, self).run(tmp, task_vars) - target = options.get('target', None) - local = options.get('local', 'no') + target = self._task.args.get('target', None) + local = self._task.args.get('local', 'no') if local not in [ 'no', 'file', 'template' ]: - result = dict(failed=True, msg="local must be in ['no','file','template']") - return ReturnData(conn=conn, comm_ok=False, result=result) + return dict(failed=True, msg="local must be in ['no','file','template']") if local != 'no' and target is None: - result = dict(failed=True, msg="target is required in local mode") - return ReturnData(conn=conn, comm_ok=False, result=result) + return dict(failed=True, msg="target is required in local mode") if local == 'no': # run the module remotely - return self.runner._execute_module(conn, tmp, 'openldap', module_args, inject=inject, complex_args=complex_args) - elif '_original_file' in inject: - target = utils.path_dwim_relative(inject['_original_file'], local+'s', target, self.runner.basedir) + return self._execute_module(module_args=self._task.args, task_vars=task_vars) + + if self._task._role is not None: + target = self._loader.path_dwim_relative(self._task._role._role_path, local+'s', target) else: - # the source is local, so expand it here - target = os.path.expanduser(target) + target = self._loader.path_dwim_relative(self._loader.get_basedir(), local+'s', target) + + new_module_args = self._task.args.copy() + new_module_args['target'] = self._connection._shell.join_path(self._make_tmp_path(), 'target.ldif') + new_module_args['local'] = 'no' - options['local'] = 'no' - options['target'] = os.path.join(tmp, os.path.basename(target)) if local == 'template': - # template the source data locally and transfer it + # template the source data locally try: - s = template.template_from_file(self.runner.basedir, target, inject, vault_password=self.runner.vault_pass) - tmpfile = tempfile.NamedTemporaryFile(delete=False) - tmpfile.write(s) - tmpfile.close() - target = tmpfile.name - except Exception, e: - result = dict(failed=True, msg=str(e)) - return ReturnData(conn=conn, comm_ok=False, result=result) - conn.put_file(tmpfile.name, options['target']) - os.unlink(tmpfile.name) - - elif local == 'file': - conn.put_file(target, options['target']) + with open(target, 'r') as f: + template_data = to_unicode(f.read()) + target = self._templar.template(template_data, preserve_trailing_newlines=True, escape_backslashes=False, convert_data=False) + except Exception as e: + result['failed'] = True + result['msg'] = type(e).__name__ + ": " + str(e) + return result - # run the script remotely with the new (temporary) filename - module_args = "" - for o in options: - module_args = "%s %s=%s" % (module_args, o, pipes.quote(options[o])) - return self.runner._execute_module(conn, tmp, 'openldap', module_args, inject=inject) + # transfer the file and run the module remotely + self._transfer_data(new_module_args['target'], target) + result.update(self._execute_module(module_args=new_module_args, task_vars=task_vars)) + return result diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml index 10a717d..2c49611 100644 --- a/roles/IMAP/handlers/main.yml +++ b/roles/IMAP/handlers/main.yml @@ -6,7 +6,7 @@ service: name=postfix state=reloaded - name: Compile Spamassassin rules - sudo_user: debian-spamd + become_user: debian-spamd # it might take a while... command: /usr/bin/sa-compile --quiet chdir=/var/lib/spamassassin/ diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index c9686c9..883b6a8 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -79,7 +79,7 @@ - name: Fetch Dovecot's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem dest=certs/public/ fail_on_missing=yes diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml index 9ed2ea6..f9b25d1 100644 --- a/roles/IMAP/tasks/main.yml +++ b/roles/IMAP/tasks/main.yml @@ -1,4 +1,16 @@ --- -- include: imap.yml tags=imap,dovecot -- include: mda.yml tags=mda,mail,postfix -#- include: spam.yml tags=spam,spamassassin # TODO spam filter +- include: imap.yml + tags: + - imap + - dovecot +- include: mda.yml + tags: + - mda + - mail + - postfix +# TODO spam filter +#- include: spam.yml +# tags +# - spam +# - spamassassin +# diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml index 3f7f29f..ad6e7bb 100644 --- a/roles/LDAP-provider/tasks/main.yml +++ b/roles/LDAP-provider/tasks/main.yml @@ -6,8 +6,8 @@ - name: Enable the EXTERNAL SASL mechanism lineinfile: dest=/usr/lib/sasl2/slapd.conf - regexp='^mech_list'':' - line=mech_list':'' EXTERNAL' + regexp='^mech_list{{':'}}' + line='mech_list{{':'}} EXTERNAL' create=yes owner=root group=root mode=0644 diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml index 499880f..4c0ceef 100644 --- a/roles/MSA/tasks/main.yml +++ b/roles/MSA/tasks/main.yml @@ -26,7 +26,7 @@ - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False # `/usr/sbin/postmulti -i msa -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch: src=/etc/postfix/ssl/smtp.fripost.org.pem dest=certs/public/ diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index 1b820e3..6ca11c0 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -80,7 +80,7 @@ - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch: src=/etc/postfix/ssl/mx.fripost.org.pem dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pem diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml index cee6fc2..1dd0683 100644 --- a/roles/bacula-dir/tasks/main.yml +++ b/roles/bacula-dir/tasks/main.yml @@ -30,7 +30,7 @@ - name: Fetch Bacula Dir X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem dest=certs/bacula/ fail_on_missing=yes diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml index 7a6c8c3..a888db6 100644 --- a/roles/bacula-sd/tasks/main.yml +++ b/roles/bacula-sd/tasks/main.yml @@ -30,7 +30,7 @@ - name: Fetch Bacula SD X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem dest=certs/bacula/ fail_on_missing=yes diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 5b7143f..960189b 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -56,7 +56,7 @@ - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/ldap/ssl/{{ item.name }}.pem dest=certs/ldap/ fail_on_missing=yes diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml index 248d47d..91b37c8 100644 --- a/roles/common/tasks/bacula.yml +++ b/roles/common/tasks/bacula.yml @@ -30,7 +30,7 @@ - name: Fetch Bacula FD X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem dest=certs/bacula/ fail_on_missing=yes diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index c8e2495..273dc5c 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -68,7 +68,7 @@ - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/postfix/ssl/{{ ansible_fqdn }}.pem dest=certs/postfix/ fail_on_missing=yes @@ -78,8 +78,8 @@ - name: Add a 'root' alias lineinfile: dest=/etc/aliases create=yes - regexp="^root:"" " - line="root:"" root@fripost.org" + regexp="^root{{':'}} " + line="root{{':'}} root@fripost.org" - name: Compile the static local Postfix database postmap: cmd=postalias src=/etc/aliases db=cdb diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 3b95c92..3e6a4a8 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,20 +1,36 @@ --- -- include: sysctl.yml tags=sysctl +- include: sysctl.yml + tags: sysctl - include: hosts.yml -- include: apt.yml tags=apt +- include: apt.yml + tags: apt - name: Install intel-microcode apt: pkg=intel-microcode when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" tags: intel -- include: firewall.yml tags=firewall,iptables -- include: samhain.yml tags=samhain -- include: auditd.yml tags=auditd -- include: rkhunter.yml tags=rkhunter -- include: clamav.yml tags=clamav -- include: fail2ban.yml tags=fail2ban -- include: smart.yml tags=smartmontools,smart +- include: firewall.yml + tags: + - firewall + - iptables +- include: samhain.yml + tags: samhain +- include: auditd.yml + tags: auditd +- include: rkhunter.yml + tags: rkhunter +- include: clamav.yml + tags: clamav +- include: fail2ban.yml + tags: fail2ban +- include: smart.yml + tags: + - smartmontools + - smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" -- include: haveged.yml tags=haveged,entropy +- include: haveged.yml + tags: + - haveged + - entropy - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} @@ -27,11 +43,22 @@ - name: Generate DH parameters command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem tags: genkey -- include: logging.yml tags=logging -- include: ntp.yml tags=ntp -- include: mail.yml tags=mail,postfix -- include: bacula.yml tags=bacula-fd,bacula -- include: munin-node.yml tags=munin-node,munin +- include: logging.yml + tags: logging +- include: ntp.yml + tags: ntp +- include: mail.yml + tags: + - mail + - postfix +- include: bacula.yml + tags: + - bacula-fd + - bacula +- include: munin-node.yml + tags: + - munin-node + - munin - name: Install common packages apt: pkg={{ item }} diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml index 9e5d8f4..c585d60 100644 --- a/roles/common/tasks/munin-node.yml +++ b/roles/common/tasks/munin-node.yml @@ -172,7 +172,7 @@ - name: Fetch Munin X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem dest=certs/munin/{{ inventory_hostname }}.pem fail_on_missing=yes diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index 6ac7feb..d3ae86f 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -1,4 +1,4 @@ -- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes +- sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes with_items: - { name: 'kernel.domainname', value: '{{ ansible_domain }}' } diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 7237aa9..cebcec8 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -98,7 +98,7 @@ - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/git.fripost.org.pem dest=certs/public/ fail_on_missing=yes diff --git a/roles/git/tasks/gitolite.yml b/roles/git/tasks/gitolite.yml index 5cbce23..90b3015 100644 --- a/roles/git/tasks/gitolite.yml +++ b/roles/git/tasks/gitolite.yml @@ -26,8 +26,8 @@ - name: Configure gitolite lineinfile: dest=/var/lib/gitolite/.gitolite.rc - "regexp=^(\\s*{{ item.var }}\\s*=>\\s*)" - "line= {{ item.var }} => {{ item.value }}," + regexp='^(\\s*{{ item.var }}\\s*=>\\s*)' + line=' {{ item.var }} => {{ item.value }},' owner=root group=root mode=0644 with_items: diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index da9f876..e24402a 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -1,2 +1,4 @@ -- include: gitolite.yml tags=gitolite -- include: cgit.yml tags=cgit +- include: gitolite.yml + tags: gitolite +- include: cgit.yml + tags: cgit diff --git a/roles/lists/tasks/main.yml b/roles/lists/tasks/main.yml index f0e8e26..b43c948 100644 --- a/roles/lists/tasks/main.yml +++ b/roles/lists/tasks/main.yml @@ -1,3 +1,13 @@ -- include: mail.yml tags=postfix,mail -- include: nginx.yml tags=nginx,www,web -- include: sympa.yml tags=sympa,lists +- include: mail.yml + tags: + - postfix + - mail +- include: nginx.yml + tags: + - nginx + - www + - web +- include: sympa.yml + tags: + - sympa + - lists diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index 21e769a..34d42bd 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -27,7 +27,7 @@ - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/lists.fripost.org.pem dest=certs/public/ fail_on_missing=yes diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml index 030a547..8ee50bd 100644 --- a/roles/webmail/tasks/main.yml +++ b/roles/webmail/tasks/main.yml @@ -1,3 +1,9 @@ -- include: mail.yml tags=postfix,mail +- include: mail.yml when: "'out' not in group_names" -- include: roundcube.yml tags=roundcube,webmail + tags: + - postfix + - mail +- include: roundcube.yml + tags: + - roundcube + - webmail diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 3eaf766..eb04ba1 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -40,8 +40,8 @@ - name: Configure Roundcube lineinfile: dest=/etc/roundcube/config.inc.php - "regexp=^\\s*\\$config\\['{{ item.var }}'\\]\\s*=" - "line=$config['{{ item.var }}'] = {{ item.value }};" + regexp='^\\s*\\$config\\[\'{{ item.var }}\'\\]\\s*=' + line='$config[\'{{ item.var }}\'] = {{ item.value }};' owner=root group=www-data mode=0640 with_items: @@ -129,7 +129,7 @@ - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/mail.fripost.org.pem dest=certs/public/ fail_on_missing=yes diff --git a/roles/wiki/handlers/main.yml b/roles/wiki/handlers/main.yml index 42ae6ef..109c63d 100644 --- a/roles/wiki/handlers/main.yml +++ b/roles/wiki/handlers/main.yml @@ -3,5 +3,5 @@ service: name=nginx state=restarted - name: Refresh ikiwiki - sudo_user: ikiwiki + become_user: ikiwiki command: ikiwiki --setup /var/lib/ikiwiki/fripost-wiki.setup --refresh --wrappers diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml index 763f99a..9748768 100644 --- a/roles/wiki/tasks/main.yml +++ b/roles/wiki/tasks/main.yml @@ -59,7 +59,7 @@ - name: Add fripost-wiki to /etc/ikiwiki/wikilist lineinfile: dest=/etc/ikiwiki/wikilist - "line=ikiwiki /var/lib/ikiwiki/fripost-wiki.setup" + line='ikiwiki /var/lib/ikiwiki/fripost-wiki.setup' owner=root group=root mode=0644 @@ -97,7 +97,7 @@ - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/www.fripost.org.pem dest=certs/public/fripost.org.pem fail_on_missing=yes -- cgit v1.2.3