From fa8d2b668550259e6f78d16fc209c4da1a20b842 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2016 15:25:31 +0100 Subject: Upgrade playbooks to Ansible 2.0. --- roles/IMAP/handlers/main.yml | 2 +- roles/IMAP/tasks/imap.yml | 2 +- roles/IMAP/tasks/main.yml | 18 ++++++++++-- roles/LDAP-provider/tasks/main.yml | 4 +-- roles/MSA/tasks/main.yml | 2 +- roles/MX/tasks/main.yml | 2 +- roles/bacula-dir/tasks/main.yml | 2 +- roles/bacula-sd/tasks/main.yml | 2 +- roles/common-LDAP/tasks/main.yml | 2 +- roles/common/tasks/bacula.yml | 2 +- roles/common/tasks/mail.yml | 6 ++-- roles/common/tasks/main.yml | 57 ++++++++++++++++++++++++++++---------- roles/common/tasks/munin-node.yml | 2 +- roles/common/tasks/sysctl.yml | 2 +- roles/git/tasks/cgit.yml | 2 +- roles/git/tasks/gitolite.yml | 4 +-- roles/git/tasks/main.yml | 6 ++-- roles/lists/tasks/main.yml | 16 +++++++++-- roles/lists/tasks/nginx.yml | 2 +- roles/webmail/tasks/main.yml | 10 +++++-- roles/webmail/tasks/roundcube.yml | 6 ++-- roles/wiki/handlers/main.yml | 2 +- roles/wiki/tasks/main.yml | 4 +-- 23 files changed, 107 insertions(+), 50 deletions(-) (limited to 'roles') diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml index 10a717d..2c49611 100644 --- a/roles/IMAP/handlers/main.yml +++ b/roles/IMAP/handlers/main.yml @@ -6,7 +6,7 @@ service: name=postfix state=reloaded - name: Compile Spamassassin rules - sudo_user: debian-spamd + become_user: debian-spamd # it might take a while... command: /usr/bin/sa-compile --quiet chdir=/var/lib/spamassassin/ diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index c9686c9..883b6a8 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -79,7 +79,7 @@ - name: Fetch Dovecot's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem dest=certs/public/ fail_on_missing=yes diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml index 9ed2ea6..f9b25d1 100644 --- a/roles/IMAP/tasks/main.yml +++ b/roles/IMAP/tasks/main.yml @@ -1,4 +1,16 @@ --- -- include: imap.yml tags=imap,dovecot -- include: mda.yml tags=mda,mail,postfix -#- include: spam.yml tags=spam,spamassassin # TODO spam filter +- include: imap.yml + tags: + - imap + - dovecot +- include: mda.yml + tags: + - mda + - mail + - postfix +# TODO spam filter +#- include: spam.yml +# tags +# - spam +# - spamassassin +# diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml index 3f7f29f..ad6e7bb 100644 --- a/roles/LDAP-provider/tasks/main.yml +++ b/roles/LDAP-provider/tasks/main.yml @@ -6,8 +6,8 @@ - name: Enable the EXTERNAL SASL mechanism lineinfile: dest=/usr/lib/sasl2/slapd.conf - regexp='^mech_list'':' - line=mech_list':'' EXTERNAL' + regexp='^mech_list{{':'}}' + line='mech_list{{':'}} EXTERNAL' create=yes owner=root group=root mode=0644 diff --git a/roles/MSA/tasks/main.yml b/roles/MSA/tasks/main.yml index 499880f..4c0ceef 100644 --- a/roles/MSA/tasks/main.yml +++ b/roles/MSA/tasks/main.yml @@ -26,7 +26,7 @@ - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False # `/usr/sbin/postmulti -i msa -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch: src=/etc/postfix/ssl/smtp.fripost.org.pem dest=certs/public/ diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml index 1b820e3..6ca11c0 100644 --- a/roles/MX/tasks/main.yml +++ b/roles/MX/tasks/main.yml @@ -80,7 +80,7 @@ - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False # `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file` fetch: src=/etc/postfix/ssl/mx.fripost.org.pem dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pem diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml index cee6fc2..1dd0683 100644 --- a/roles/bacula-dir/tasks/main.yml +++ b/roles/bacula-dir/tasks/main.yml @@ -30,7 +30,7 @@ - name: Fetch Bacula Dir X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem dest=certs/bacula/ fail_on_missing=yes diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml index 7a6c8c3..a888db6 100644 --- a/roles/bacula-sd/tasks/main.yml +++ b/roles/bacula-sd/tasks/main.yml @@ -30,7 +30,7 @@ - name: Fetch Bacula SD X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem dest=certs/bacula/ fail_on_missing=yes diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 5b7143f..960189b 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -56,7 +56,7 @@ - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/ldap/ssl/{{ item.name }}.pem dest=certs/ldap/ fail_on_missing=yes diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml index 248d47d..91b37c8 100644 --- a/roles/common/tasks/bacula.yml +++ b/roles/common/tasks/bacula.yml @@ -30,7 +30,7 @@ - name: Fetch Bacula FD X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem dest=certs/bacula/ fail_on_missing=yes diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index c8e2495..273dc5c 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -68,7 +68,7 @@ - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/postfix/ssl/{{ ansible_fqdn }}.pem dest=certs/postfix/ fail_on_missing=yes @@ -78,8 +78,8 @@ - name: Add a 'root' alias lineinfile: dest=/etc/aliases create=yes - regexp="^root:"" " - line="root:"" root@fripost.org" + regexp="^root{{':'}} " + line="root{{':'}} root@fripost.org" - name: Compile the static local Postfix database postmap: cmd=postalias src=/etc/aliases db=cdb diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 3b95c92..3e6a4a8 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,20 +1,36 @@ --- -- include: sysctl.yml tags=sysctl +- include: sysctl.yml + tags: sysctl - include: hosts.yml -- include: apt.yml tags=apt +- include: apt.yml + tags: apt - name: Install intel-microcode apt: pkg=intel-microcode when: "ansible_processor[0] | search('^(Genuine)?Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" tags: intel -- include: firewall.yml tags=firewall,iptables -- include: samhain.yml tags=samhain -- include: auditd.yml tags=auditd -- include: rkhunter.yml tags=rkhunter -- include: clamav.yml tags=clamav -- include: fail2ban.yml tags=fail2ban -- include: smart.yml tags=smartmontools,smart +- include: firewall.yml + tags: + - firewall + - iptables +- include: samhain.yml + tags: samhain +- include: auditd.yml + tags: auditd +- include: rkhunter.yml + tags: rkhunter +- include: clamav.yml + tags: clamav +- include: fail2ban.yml + tags: fail2ban +- include: smart.yml + tags: + - smartmontools + - smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" -- include: haveged.yml tags=haveged,entropy +- include: haveged.yml + tags: + - haveged + - entropy - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} @@ -27,11 +43,22 @@ - name: Generate DH parameters command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem tags: genkey -- include: logging.yml tags=logging -- include: ntp.yml tags=ntp -- include: mail.yml tags=mail,postfix -- include: bacula.yml tags=bacula-fd,bacula -- include: munin-node.yml tags=munin-node,munin +- include: logging.yml + tags: logging +- include: ntp.yml + tags: ntp +- include: mail.yml + tags: + - mail + - postfix +- include: bacula.yml + tags: + - bacula-fd + - bacula +- include: munin-node.yml + tags: + - munin-node + - munin - name: Install common packages apt: pkg={{ item }} diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml index 9e5d8f4..c585d60 100644 --- a/roles/common/tasks/munin-node.yml +++ b/roles/common/tasks/munin-node.yml @@ -172,7 +172,7 @@ - name: Fetch Munin X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem dest=certs/munin/{{ inventory_hostname }}.pem fail_on_missing=yes diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index 6ac7feb..d3ae86f 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -1,4 +1,4 @@ -- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes +- sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes with_items: - { name: 'kernel.domainname', value: '{{ ansible_domain }}' } diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 7237aa9..cebcec8 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -98,7 +98,7 @@ - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/git.fripost.org.pem dest=certs/public/ fail_on_missing=yes diff --git a/roles/git/tasks/gitolite.yml b/roles/git/tasks/gitolite.yml index 5cbce23..90b3015 100644 --- a/roles/git/tasks/gitolite.yml +++ b/roles/git/tasks/gitolite.yml @@ -26,8 +26,8 @@ - name: Configure gitolite lineinfile: dest=/var/lib/gitolite/.gitolite.rc - "regexp=^(\\s*{{ item.var }}\\s*=>\\s*)" - "line= {{ item.var }} => {{ item.value }}," + regexp='^(\\s*{{ item.var }}\\s*=>\\s*)' + line=' {{ item.var }} => {{ item.value }},' owner=root group=root mode=0644 with_items: diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index da9f876..e24402a 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -1,2 +1,4 @@ -- include: gitolite.yml tags=gitolite -- include: cgit.yml tags=cgit +- include: gitolite.yml + tags: gitolite +- include: cgit.yml + tags: cgit diff --git a/roles/lists/tasks/main.yml b/roles/lists/tasks/main.yml index f0e8e26..b43c948 100644 --- a/roles/lists/tasks/main.yml +++ b/roles/lists/tasks/main.yml @@ -1,3 +1,13 @@ -- include: mail.yml tags=postfix,mail -- include: nginx.yml tags=nginx,www,web -- include: sympa.yml tags=sympa,lists +- include: mail.yml + tags: + - postfix + - mail +- include: nginx.yml + tags: + - nginx + - www + - web +- include: sympa.yml + tags: + - sympa + - lists diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index 21e769a..34d42bd 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -27,7 +27,7 @@ - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/lists.fripost.org.pem dest=certs/public/ fail_on_missing=yes diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml index 030a547..8ee50bd 100644 --- a/roles/webmail/tasks/main.yml +++ b/roles/webmail/tasks/main.yml @@ -1,3 +1,9 @@ -- include: mail.yml tags=postfix,mail +- include: mail.yml when: "'out' not in group_names" -- include: roundcube.yml tags=roundcube,webmail + tags: + - postfix + - mail +- include: roundcube.yml + tags: + - roundcube + - webmail diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 3eaf766..eb04ba1 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -40,8 +40,8 @@ - name: Configure Roundcube lineinfile: dest=/etc/roundcube/config.inc.php - "regexp=^\\s*\\$config\\['{{ item.var }}'\\]\\s*=" - "line=$config['{{ item.var }}'] = {{ item.value }};" + regexp='^\\s*\\$config\\[\'{{ item.var }}\'\\]\\s*=' + line='$config[\'{{ item.var }}\'] = {{ item.value }};' owner=root group=www-data mode=0640 with_items: @@ -129,7 +129,7 @@ - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/mail.fripost.org.pem dest=certs/public/ fail_on_missing=yes diff --git a/roles/wiki/handlers/main.yml b/roles/wiki/handlers/main.yml index 42ae6ef..109c63d 100644 --- a/roles/wiki/handlers/main.yml +++ b/roles/wiki/handlers/main.yml @@ -3,5 +3,5 @@ service: name=nginx state=restarted - name: Refresh ikiwiki - sudo_user: ikiwiki + become_user: ikiwiki command: ikiwiki --setup /var/lib/ikiwiki/fripost-wiki.setup --refresh --wrappers diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml index 763f99a..9748768 100644 --- a/roles/wiki/tasks/main.yml +++ b/roles/wiki/tasks/main.yml @@ -59,7 +59,7 @@ - name: Add fripost-wiki to /etc/ikiwiki/wikilist lineinfile: dest=/etc/ikiwiki/wikilist - "line=ikiwiki /var/lib/ikiwiki/fripost-wiki.setup" + line='ikiwiki /var/lib/ikiwiki/fripost-wiki.setup' owner=root group=root mode=0644 @@ -97,7 +97,7 @@ - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data - sudo: False + become: False fetch: src=/etc/nginx/ssl/www.fripost.org.pem dest=certs/public/fripost.org.pem fail_on_missing=yes -- cgit v1.2.3