diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..69f9b3f --- /dev/null +++ b/.drone.yml @@ -0,0 +1,30 @@ +--- +kind: pipeline +type: docker +name: default + +steps: + - name: lint markdown files + image: pipelinecomponents/remark-lint:latest + commands: + - "remark --no-stdout --color --use preset-lint-recommended ." + + - name: lint yaml files + image: pipelinecomponents/yamllint:latest + commands: + - "yamllint ." + + - name: lint ansible scripts + image: pipelinecomponents/ansible-lint:latest + commands: + - > + find . -maxdepth 1 -name '*.yml' + | sort + | grep -v '.drone.yml' + | xargs ansible-playbook --syntax-check --list-tasks + + - > + find . -maxdepth 1 -name '*.yml' + | sort + | grep -v '.drone.yml' + | xargs ansible-lint diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c50afd9..d8caf95 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,17 +2,17 @@ Contributions are welcome, as long as they respect our current workflow: -1. The master branch is only for releases. Once properly tested, -the dev branch can be merged, the release tagged and a tar archive -created. +1. The master branch is only for releases. Once properly tested, + the dev branch can be merged, the release tagged and a tar archive + created. -2. The dev branch should never be commited to directly, unless -you're updating the CHANGELOG file. +2. The dev branch should never be commited to directly, unless + you're updating the CHANGELOG file. -3. Use feature branches for anything else, once they've passed all -CI tests and have been reviewed by other contributors through a -pull request, they may be merged into the dev branch. +3. Use feature branches for anything else, once they've passed all + CI test, lints and have been reviewed by other contributors through a + pull request, they may be merged into the dev branch. Open issues liberally, but please review closed and opened issues -for duplicates before hand. \ No newline at end of file +for duplicates before hand. diff --git a/README.md b/README.md index 2d65ac2..6f3d3dc 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ used by Evolix. Put your public key in the remote root's autorized_keys (/root/.ssh/authorized_keys) -1 - Install ansible's prerequisites +1. Install ansible's prerequisites ``` ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME ``` -2 - Run it +2. Run it ``` ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME @@ -26,19 +26,19 @@ ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME Changes can be tested by using [Packer](https://www.packer.io/) and [vmm(4)](https://man.openbsd.org/vmm.4) : -* This process depends on the [Go](https://golang.org/) programming language. +* This process depends on the [Go](https://golang.org/) programming language. ``` # pkg_add go packer ``` -* We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4) +* We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4) ``` $ go get -u github.com/prep/packer-builder-vmm/cmd/packer-builder-vmm ``` -* Here is an example build file +* Here is an example build file ``` $ vim openbsd.json @@ -101,25 +101,25 @@ $ vim openbsd.json } -* You need your unprivileged user to be able to run vmctl(8) through doas(1) +* You need your unprivileged user to be able to run vmctl(8) through doas(1) ``` # echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf ``` -* Build the virtual machine +* Build the virtual machine ``` $ packer build openbsd.json ``` -* Start it +* Start it ``` doas vmctl start evobsd -cL -d output-vmm/evobsd.qcow2 ``` -* Enable NAT on your host machine +* Enable NAT on your host machine ``` pass out on em0 inet from tap0:network to any nat-to (em0) diff --git a/evolixisation.yml b/evolixisation.yml index 003d941..da873e6 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -10,13 +10,13 @@ become: true become_user: root become_method: sudo -# become_method: su + # become_method: su vars_files: - vars/main.yml -# - vars/secrets.yml -# - vars/openbsd-secret.yml + # - vars/secrets.yml + # - vars/openbsd-secret.yml roles: - etc-git @@ -27,9 +27,9 @@ - nagios-nrpe - evocheck - post-install - #- openvpn - #- ospf - #- bgp + # - openvpn + # - ospf + # - bgp post_tasks: - include: "tasks/commit_etc_git.yml" @@ -40,6 +40,5 @@ tasks_from: exec.yml # environment: -# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" - -# vim:ft=ansible +# yamllint disable-line rule:line-length +# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" diff --git a/prerequisite.yml b/prerequisite.yml index 4695566..aaf5bbb 100644 --- a/prerequisite.yml +++ b/prerequisite.yml @@ -2,15 +2,16 @@ # ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME --- - - hosts: all - become: yes - become_method: su - user: root - gather_facts: no +- hosts: all + become: true + become_method: su + user: root + gather_facts: false - tasks: + tasks: - name: Install ansible's prerequisite + # yamllint disable-line rule:line-length raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2 # vim:ft=ansible diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index 704d908..02d8749 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -30,13 +30,15 @@ check_mode: false register: grep_allowusers_ssh -- assert: +- name: "Check that AllowUsers and AllowGroup do not override each other" + assert: that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" msg: "We can't deal with AllowUsers and AllowGroups at the same time" -- set_fact: - # If "AllowGroups is present" - ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" +- name: "If AllowGroups is present then use it" + set_fact: + ssh_allowgroups: + "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" lineinfile: diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index 0748c9f..9be1d76 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -1,30 +1,35 @@ --- ntpd_servers: -- "ntp.evolix.net" + - "ntp.evolix.net" general_alert_email: "root@localhost" general_technical_realm: "example.com" evomaintenance_realm: "example.com" -evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" -evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}" -evomaintenance_pg_host: Null -evomaintenance_pg_passwd: Null -evomaintenance_pg_db: Null -evomaintenance_pg_table: Null +evomaintenance_alert_email: + "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" +evomaintenance_hostname: + "{{ inventory_hostname }}.{{ general_technical_realm }}" +evomaintenance_pg_host: null +evomaintenance_pg_passwd: null +evomaintenance_pg_db: null +evomaintenance_pg_table: null evomaintenance_from_domain: "{{ evomaintenance_realm }}" evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" evomaintenance_urgency_from: mama.doe@example.com evomaintenance_urgency_tel: "06.00.00.00.00" -evomaintenance_install_vendor: False -evomaintenance_force_config: True -evomaintenance_api_endpoint: Null -evomaintenance_api_key: Null -evomaintenance_hook_api: True -evomaintenance_hook_db: False -evomaintenance_hook_commit: True -evomaintenance_hook_mail: True +evomaintenance_install_vendor: false +evomaintenance_force_config: true +evomaintenance_api_endpoint: null +evomaintenance_api_key: null +evomaintenance_hook_api: true +evomaintenance_hook_db: false +evomaintenance_hook_commit: true +evomaintenance_hook_mail: true evomaintenance_default_hosts: [] evomaintenance_additional_hosts: [] -evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}" +evomaintenance_hosts: > + {{ evomaintenance_default_hosts + | union(evomaintenance_additional_hosts) + | unique }} diff --git a/roles/base/tasks/doas.yml b/roles/base/tasks/doas.yml index 9c866a5..538b1af 100644 --- a/roles/base/tasks/doas.yml +++ b/roles/base/tasks/doas.yml @@ -6,8 +6,6 @@ owner: root group: wheel mode: "0640" - backup: no + backup: false tags: - - doas - - + - doas diff --git a/roles/base/tasks/dotfiles.yml b/roles/base/tasks/dotfiles.yml index a132e03..f8598df 100644 --- a/roles/base/tasks/dotfiles.yml +++ b/roles/base/tasks/dotfiles.yml @@ -39,10 +39,10 @@ dest: /etc/skel/.profile insertafter: EOF line: 'trap "doas /usr/share/scripts/evomaintenance.sh" 0' - create: yes + create: true tags: - - admin - - dotfiles + - admin + - dotfiles - name: Add vim configuration to dotfiles for new users copy: diff --git a/roles/base/tasks/evobackup.yml b/roles/base/tasks/evobackup.yml index ba5a24a..6ec8db5 100644 --- a/roles/base/tasks/evobackup.yml +++ b/roles/base/tasks/evobackup.yml @@ -6,7 +6,7 @@ owner: root group: wheel mode: "0755" - force: no + force: false tags: - evobackup @@ -16,6 +16,6 @@ line: '#sh /usr/share/scripts/zzz_evobackup' owner: root mode: "0644" - create: yes + create: true tags: - evobackup diff --git a/roles/base/tasks/evomaintenance.yml b/roles/base/tasks/evomaintenance.yml index f1d1c18..9d51c7a 100644 --- a/roles/base/tasks/evomaintenance.yml +++ b/roles/base/tasks/evomaintenance.yml @@ -10,10 +10,15 @@ - evomaintenance - name: Copy evomaintenance script and template - copy: src={{ item.src }} dest={{ item.dest }} owner=root group=wheel mode="0755" + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: 'root' + group: 'wheel' + mode: '0755' with_items: - - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/' } - - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/' } + - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'} + - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'} tags: - evomaintenance - script-evomaintenance @@ -25,6 +30,6 @@ owner: root group: wheel mode: "0600" - backup: no + backup: false tags: - evomaintenance diff --git a/roles/base/tasks/mail.yml b/roles/base/tasks/mail.yml index 321d837..dacd60d 100644 --- a/roles/base/tasks/mail.yml +++ b/roles/base/tasks/mail.yml @@ -2,8 +2,9 @@ - name: Configure rc.local lineinfile: path: /etc/rc.local - line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}' - create: yes + line: + 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}' + create: true tags: - misc @@ -12,7 +13,7 @@ dest: /etc/mail/aliases regexp: "# root:" replace: "root: {{ general_alert_email }}" - backup: no + backup: false notify: - newaliases tags: diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml index 695ffe1..4decaee 100644 --- a/roles/base/tasks/packages.yml +++ b/roles/base/tasks/packages.yml @@ -10,20 +10,20 @@ - name: Install packages (vim rsync mtr etc) openbsd_pkg: name: - - wget - - vim--no_x11 - - rsync-- - - mtr-- - - iftop - - sudo-- - - postgresql-client + - wget + - vim--no_x11 + - rsync-- + - mtr-- + - iftop + - sudo-- + - postgresql-client tags: - pkg - name: Disable sndiod service: name: sndiod - enabled: no + enabled: false state: stopped tags: - pkg diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index 8ba489e..0d0467d 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -4,11 +4,11 @@ lineinfile: dest: /etc/sudoers insertafter: '# and set environment variables.' - line: '%wheel ALL=(ALL) SETENV: ALL' + line: '%wheel ALL=(ALL) SETENV: ALL' validate: 'visudo -cf %s' - backup: no + backup: false tags: - - sudo + - sudo - name: Configure sudoers for evomaintenance and monitoring blockinfile: @@ -19,8 +19,6 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh %wheel ALL=NOPASSWD: MAINT validate: 'visudo -cf %s' - backup: no + backup: false tags: - - sudo - - + - sudo diff --git a/roles/bgp/README.md b/roles/bgp/README.md index 51aad44..cd6545d 100644 --- a/roles/bgp/README.md +++ b/roles/bgp/README.md @@ -1,5 +1,5 @@ # BGP - + Deployment of BGP check script with its cron, and a best route log cron. ## Tasks @@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file. The full list of variables (with default values) can be found in `defaults/main.yml`. -* `bgp_mailto` : email address the output of the script will be sent to when a change is detected -* `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked +* `bgp_mailto` : email address the output of the script will be sent to when a change is detected +* `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked diff --git a/roles/bgp/tasks/main.yml b/roles/bgp/tasks/main.yml index b67ab8f..a0304a7 100644 --- a/roles/bgp/tasks/main.yml +++ b/roles/bgp/tasks/main.yml @@ -5,7 +5,7 @@ dest: /usr/share/scripts/bgpd-check-peers.sh when: group_names | select('search','bgp') | list | count > 0 tags: - - bgp + - bgp - name: Cron job for bgp check script is installed cron: @@ -15,13 +15,13 @@ tags: - bgp -- name: Create bgp log directory +- name: Create bgp log directory file: path: /var/log/bgp state: directory when: group_names | select('search','bgp') | list | count > 0 tags: - - bgp + - bgp - name: weekly best routes cron job is installed cron: @@ -29,7 +29,9 @@ minute: 0 hour: 4 weekday: 0 - job: "/usr/sbin/bgpctl show rib selected > /var/log/bgp/rib-selected-$(date +\\%F)" + job: > + /usr/sbin/bgpctl show rib selected + > /var/log/bgp/rib-selected-$(date +\\%F) when: group_names | select('search','bgp') | list | count > 0 tags: - bgp diff --git a/roles/etc-git/defaults/main.yml b/roles/etc-git/defaults/main.yml index 8a822ab..f160858 100644 --- a/roles/etc-git/defaults/main.yml +++ b/roles/etc-git/defaults/main.yml @@ -1,4 +1,4 @@ --- commit_message: Ansible run -etc_git_monitor_status: True +etc_git_monitor_status: true diff --git a/roles/etc-git/tasks/commit.yml b/roles/etc-git/tasks/commit.yml index e4166e7..d41de38 100644 --- a/roles/etc-git/tasks/commit.yml +++ b/roles/etc-git/tasks/commit.yml @@ -3,20 +3,20 @@ command: git status --porcelain args: chdir: /etc - changed_when: False + changed_when: false register: git_status when: not ansible_check_mode - ignore_errors: yes + ignore_errors: true tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - debug: var: git_status verbosity: 3 tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - name: fetch current Git user.email git_config: @@ -24,33 +24,49 @@ repo: /etc scope: local register: git_config_user_email - ignore_errors: yes + ignore_errors: true tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - name: set commit author set_fact: - commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}' - commit_email: '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' + commit_author: > + {% if ansible_env.SUDO_USER is not defined %} + root + {% else %} + {{ ansible_env.SUDO_USER }} + {% endif %} + commit_email: > + {% if git_config_user_email.config_value is not defined + or git_config_user_email.config_value == "" %} + root@localhost + {% else %} + {{ git_config_user_email.config_value }} + {% endif %} tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - name: /etc modifications are committed - shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\"" + shell: > + git add -A . + && git commit + -m "{{ commit_message | mandatory }}" + --author + "{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>" args: chdir: /etc register: etc_commit_end_run when: not ansible_check_mode and git_status.stdout != "" - ignore_errors: yes + ignore_errors: true tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - debug: var: etc_commit_end_run verbosity: 4 tags: - - etc-git - - commit-etc + - etc-git + - commit-etc diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index e81c2f5..6b20325 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -12,7 +12,7 @@ args: chdir: /etc creates: /etc/.git/ - warn: no + warn: false register: git_init tags: - etc-git @@ -48,11 +48,11 @@ command: "git log" args: chdir: /etc - warn: no - changed_when: False - failed_when: False + warn: false + changed_when: false + failed_when: false register: git_log - check_mode: no + check_mode: false tags: - etc-git @@ -60,7 +60,7 @@ shell: "git add -A . && git commit -m \"Initial commit via Ansible\"" args: chdir: /etc - warn: no + warn: false register: git_commit when: git_log.rc != 0 or (git_init is defined and git_init.changed) tags: @@ -72,7 +72,7 @@ line: '/usr/local/bin/git --git-dir /etc/.git gc --quiet' owner: root mode: "0644" - create: yes + create: true tags: - etc-git @@ -82,7 +82,7 @@ line: "{{ item }}" owner: root mode: "0644" - create: yes + create: true when: etc_git_monitor_status tags: - etc-git @@ -93,7 +93,8 @@ - name: cron job for /etc/.git status is removed lineinfile: path: /etc/daily.local - line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + line: + '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' owner: root mode: "0644" state: absent @@ -105,7 +106,13 @@ cron: name: git status minute: 42 - job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short" + job: > + who + > /dev/null + || /usr/local/bin/git + --git-dir=/etc/.git + --work-tree=/etc + status --short when: etc_git_monitor_status tags: - etc-git @@ -114,7 +121,13 @@ cron: name: git status minute: 42 - job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short" + job: > + who + > /dev/null + || /usr/local/bin/git + --git-dir=/etc/.git + --work-tree=/etc + status --short state: absent when: not etc_git_monitor_status tags: diff --git a/roles/evocheck/tasks/exec.yml b/roles/evocheck/tasks/exec.yml index 244d034..d7f9ac6 100644 --- a/roles/evocheck/tasks/exec.yml +++ b/roles/evocheck/tasks/exec.yml @@ -2,9 +2,9 @@ - name: run evocheck command: "{{ evocheck_bin_dir }}/evocheck.sh" register: evocheck_run - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false tags: - evocheck-exec @@ -12,4 +12,4 @@ var: evocheck_run.stdout_lines when: evocheck_run.stdout != "" tags: - - evocheck-exec + - evocheck-exec diff --git a/roles/evocheck/tasks/install.yml b/roles/evocheck/tasks/install.yml index 915bc98..6b88c17 100644 --- a/roles/evocheck/tasks/install.yml +++ b/roles/evocheck/tasks/install.yml @@ -15,7 +15,7 @@ dest: "{{ evocheck_bin_dir }}/evocheck.sh" mode: "0700" owner: root - force: yes + force: true tags: - evocheck @@ -23,7 +23,7 @@ copy: src: evocheck.cf dest: /etc/evocheck.cf - force: no + force: false tags: - evocheck @@ -33,6 +33,6 @@ line: 'sh /usr/share/scripts/evocheck.sh --verbose --cron' owner: root mode: "0644" - create: yes + create: true tags: - evocheck diff --git a/roles/forwarding/tasks/main.yml b/roles/forwarding/tasks/main.yml index d424c35..f97c4af 100644 --- a/roles/forwarding/tasks/main.yml +++ b/roles/forwarding/tasks/main.yml @@ -4,7 +4,7 @@ name: net.inet.ip.forwarding value: 1 state: present - reload: yes + reload: true tags: - net @@ -13,6 +13,6 @@ name: net.inet6.ip6.forwarding value: 1 state: present - reload: yes + reload: true tags: - net diff --git a/roles/nagios-nrpe/README.md b/roles/nagios-nrpe/README.md index 3f3f9a9..42dde0e 100644 --- a/roles/nagios-nrpe/README.md +++ b/roles/nagios-nrpe/README.md @@ -8,6 +8,6 @@ Everything is in the `tasks/main.yml` file. ## Available variables -* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none). +* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none). The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/roles/nagios-nrpe/defaults/main.yml b/roles/nagios-nrpe/defaults/main.yml index 96c3ddd..c27efa8 100644 --- a/roles/nagios-nrpe/defaults/main.yml +++ b/roles/nagios-nrpe/defaults/main.yml @@ -2,7 +2,8 @@ evolix_trusted_ips: [] additional_trusted_ips: [] # Let's merge evolix_trusted_ips with additional_trusted_ips -nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" +nagios_nrpe_allowed_hosts: + "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT" nagios_nrpe_ldap_passwd: LDAP_PASSWD nagios_nrpe_pgsql_passwd: PGSQL_PASSWD diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index 270de2f..2b4abd0 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -54,5 +54,5 @@ - name: Starting and enabling nrpe service: name: nrpe - enabled: yes + enabled: true state: started diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 79299c4..c3b0d80 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -3,7 +3,7 @@ openbsd_pkg: name: "openvpn--" tags: - - openvpn + - openvpn - name: Create /etc/openvpn directory file: @@ -13,59 +13,62 @@ group: "wheel" mode: "0755" tags: - - openvpn + - openvpn - name: Deploy OpenVPN configuration - template: - src: "server.conf.j2" + template: + src: "server.conf.j2" dest: "/etc/openvpn/server.conf" - mode: "0600" + mode: "0600" notify: restart openvpn tags: - - openvpn + - openvpn - name: Enabling OpenVPN service: name: openvpn - enabled: yes + enabled: true tags: - - openvpn + - openvpn - name: Set OpenVPN flag shell: 'rcctl set openvpn flags "--config /etc/openvpn/server.conf"' tags: - - openvpn + - openvpn - name: Create shellpki user user: name: "_shellpki" - system: yes - state: present - system: yes + system: true + state: present home: "/etc/shellpki/" shell: "/sbin/nologin" tags: - - openvpn + - openvpn - name: Copy some shellpki files - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root group: wheel mode: "{{ item.mode }}" - force: yes + force: true with_items: - - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' } - - { src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755' } + - src: 'files/shellpki/openssl.cnf' + dest: '/etc/shellpki/openssl.cnf' + mode: '0640' + - src: 'files/shellpki/shellpki' + dest: '/usr/local/sbin/shellpki' + mode: '0755' tags: - openvpn - name: Deploy DH PARAMETERS - template: - src: "dh2048.pem.j2" + template: + src: "dh2048.pem.j2" dest: "/etc/shellpki/dh2048.pem" - mode: "0600" + mode: "0600" tags: - openvpn @@ -77,7 +80,7 @@ group: "wheel" mode: "0755" tags: - - openvpn + - openvpn - name: Include /etc/sudoers.d in sudoers configuration file lineinfile: @@ -91,20 +94,22 @@ src: "sudo_shellpki" dest: "/etc/sudoers.d/shellpki" force: true - mode: "0440" + mode: "0440" validate: '/usr/local/sbin/visudo -cf %s' tags: - - openvpn + - openvpn - name: Copy check_openvpn - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root group: wheel mode: "{{ item.mode }}" - force: yes + force: true with_items: - - { src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755' } + - src: 'files/check_openvpn.pl' + dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl' + mode: '0755' tags: - openvpn diff --git a/roles/ospf/README.md b/roles/ospf/README.md index f0e929c..7be1224 100644 --- a/roles/ospf/README.md +++ b/roles/ospf/README.md @@ -1,5 +1,5 @@ # OSPF - + Deployment of OSPF check scripts with their cron. ## Tasks @@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file. The full list of variables (with default values) can be found in `defaults/main.yml`. -* `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected -* `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs +* `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected +* `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs diff --git a/roles/ospf/tasks/main.yml b/roles/ospf/tasks/main.yml index aa04759..d1b28be 100644 --- a/roles/ospf/tasks/main.yml +++ b/roles/ospf/tasks/main.yml @@ -8,7 +8,7 @@ - "ospf6d-check-peers.sh" when: group_names | select('search','ospf') | list | count > 0 tags: - - ospf + - ospf - name: Cron job for ospf check scripts is installed cron: diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 30aef63..8df8414 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -4,4 +4,4 @@ src: pf.conf.j2 dest: /etc/pf.conf mode: "0600" - backup: yes + backup: true diff --git a/tasks/commit_etc_git.yml b/tasks/commit_etc_git.yml index 032e898..2925120 100644 --- a/tasks/commit_etc_git.yml +++ b/tasks/commit_etc_git.yml @@ -3,19 +3,25 @@ command: git status --porcelain args: chdir: /etc - changed_when: False + changed_when: false register: git_status when: not ansible_check_mode - ignore_errors: yes + ignore_errors: true tags: - - commit-etc - + - commit-etc +# yamllint disable rule:line-length - name: /etc modifications are committed - shell: "git add -A . && git commit -m \"{{ commit_message | default('Ansible run') }}\" --author=\"{{ ansible_env.SUDO_USER | default('Root') }} <{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>\"" + shell: > + git add -A . + && git commit + -m "{{ commit_message | default('Ansible run') }}" + --author="{{ ansible_env.SUDO_USER | default('Root') }}" + < "{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>" args: chdir: /etc register: etc_commit_end_evolinux when: not ansible_check_mode and git_status.stdout != "" - ignore_errors: yes + ignore_errors: true tags: - - commit-etc + - commit-etc +# yamllint enable rule:line-length diff --git a/vars/main.yml b/vars/main.yml index 098a8d2..347a44e 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,29 +3,31 @@ ## Edit and uncomment to overwrite the default values ## ######################################################## -#ntpd_servers: -#- "ntp.evolix.net" +# ntpd_servers: +# - "ntp.evolix.net" # -#general_alert_email: "root@localhost" -#general_technical_realm: "example.com" +# general_alert_email: "root@localhost" +# general_technical_realm: "example.com" evolinux_ssh_group: "evolinux-ssh" evolinux_sudo_group: "evolinux-sudo" evolinux_root_disable_ssh: true # -#evomaintenance_realm: "example.com" -#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" -#evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}" -#evomaintenance_pg_host: Null -#evomaintenance_pg_passwd: Null -#evomaintenance_pg_db: Null -#evomaintenance_pg_table: Null -#evomaintenance_from_domain: "{{ evomaintenance_realm }}" -#evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" -#evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" -#evomaintenance_urgency_from: mama.doe@example.com -#evomaintenance_urgency_tel: "06.00.00.00.00" +# evomaintenance_realm: "example.com" +# evomaintenance_alert_email: +# "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" +# evomaintenance_hostname: +# "{{ inventory_hostname }}.{{ general_technical_realm }}" +# evomaintenance_pg_host: Null +# evomaintenance_pg_passwd: Null +# evomaintenance_pg_db: Null +# evomaintenance_pg_table: Null +# evomaintenance_from_domain: "{{ evomaintenance_realm }}" +# evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" +# evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" +# evomaintenance_urgency_from: mama.doe@example.com +# evomaintenance_urgency_tel: "06.00.00.00.00" # -#evolix_users: +# evolix_users: # foo: # name: foo # uid: 1042