evolix/EvoBSD
21
0
Fork 0
Code Issues 2 Pull requests Releases 3 Wiki Activity

Merge pull request 'Ansible-lint and yamllint' (#32) from linting into dev
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse source 
Reviewed-by: Jérémy Dubois <jdubois@noreply.gitea.evolix.org>
Reviewed-by: Tristan Pilat <drustan@noreply.gitea.evolix.org>
This commit is contained in:
Tristan Pilat 2020-06-08 17:14:29 +02:00
parent 38e5c1bf70 9f378fc1f9
commit 0b4e262f13
31 changed files with 279 additions and 195 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
.drone.yml Normal file
View file

@ -0,0 +1,30 @@
---
kind: pipeline
type: docker
name: default
steps:
- name: lint markdown files
image: pipelinecomponents/remark-lint:latest
commands:
- "remark --no-stdout --color --use preset-lint-recommended ."
- name: lint yaml files
image: pipelinecomponents/yamllint:latest
commands:
- "yamllint ."
- name: lint ansible scripts
image: pipelinecomponents/ansible-lint:latest
commands:
- >
find . -maxdepth 1 -name '*.yml'
| sort
| grep -v '.drone.yml'
| xargs ansible-playbook --syntax-check --list-tasks
- >
find . -maxdepth 1 -name '*.yml'
| sort
| grep -v '.drone.yml'
| xargs ansible-lint

2
CONTRIBUTING.md
View file

@ -10,7 +10,7 @@ created.
you're updating the CHANGELOG file.
3. Use feature branches for anything else, once they've passed all
CI tests and have been reviewed by other contributors through a
CI test, lints and have been reviewed by other contributors through a
pull request, they may be merged into the dev branch.

4
README.md
View file

@ -9,13 +9,13 @@ used by Evolix.
Put your public key in the remote root's autorized_keys
(/root/.ssh/authorized_keys)
1 - Install ansible's prerequisites
1. Install ansible's prerequisites
```
ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
```
2 - Run it
2. Run it
```
ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME

3
evolixisation.yml
View file

@ -40,6 +40,5 @@
tasks_from: exec.yml
# environment:
# yamllint disable-line rule:line-length
# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"
# vim:ft=ansible

5
prerequisite.yml
View file

@ -3,14 +3,15 @@
---
- hosts: all
become: yes
become: true
become_method: su
user: root
gather_facts: no
gather_facts: false
tasks:
- name: Install ansible's prerequisite
# yamllint disable-line rule:line-length
raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2
# vim:ft=ansible

10
roles/accounts/tasks/main.yml
View file

@ -30,13 +30,15 @@
check_mode: false
register: grep_allowusers_ssh
- assert:
- name: "Check that AllowUsers and AllowGroup do not override each other"
assert:
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
- set_fact:
# If "AllowGroups is present"
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
- name: "If AllowGroups is present then use it"
set_fact:
ssh_allowgroups:
"{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
lineinfile:

35
roles/base/defaults/main.yml
View file

@ -6,25 +6,30 @@ general_alert_email: "root@localhost"
general_technical_realm: "example.com"
evomaintenance_realm: "example.com"
evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
evomaintenance_pg_host: Null
evomaintenance_pg_passwd: Null
evomaintenance_pg_db: Null
evomaintenance_pg_table: Null
evomaintenance_alert_email:
"evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
evomaintenance_hostname:
"{{ inventory_hostname }}.{{ general_technical_realm }}"
evomaintenance_pg_host: null
evomaintenance_pg_passwd: null
evomaintenance_pg_db: null
evomaintenance_pg_table: null
evomaintenance_from_domain: "{{ evomaintenance_realm }}"
evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
evomaintenance_urgency_from: mama.doe@example.com
evomaintenance_urgency_tel: "06.00.00.00.00"
evomaintenance_install_vendor: False
evomaintenance_force_config: True
evomaintenance_api_endpoint: Null
evomaintenance_api_key: Null
evomaintenance_hook_api: True
evomaintenance_hook_db: False
evomaintenance_hook_commit: True
evomaintenance_hook_mail: True
evomaintenance_install_vendor: false
evomaintenance_force_config: true
evomaintenance_api_endpoint: null
evomaintenance_api_key: null
evomaintenance_hook_api: true
evomaintenance_hook_db: false
evomaintenance_hook_commit: true
evomaintenance_hook_mail: true
evomaintenance_default_hosts: []
evomaintenance_additional_hosts: []
evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}"
evomaintenance_hosts: >
{{ evomaintenance_default_hosts
| union(evomaintenance_additional_hosts)
| unique }}

4
roles/base/tasks/doas.yml
View file

@ -6,8 +6,6 @@
owner: root
group: wheel
mode: "0640"
backup: no
backup: false
tags:
- doas

2
roles/base/tasks/dotfiles.yml
View file

@ -39,7 +39,7 @@
dest: /etc/skel/.profile
insertafter: EOF
line: 'trap "doas /usr/share/scripts/evomaintenance.sh" 0'
create: yes
create: true
tags:
- admin
- dotfiles

4
roles/base/tasks/evobackup.yml
View file

@ -6,7 +6,7 @@
owner: root
group: wheel
mode: "0755"
force: no
force: false
tags:
- evobackup
@ -16,6 +16,6 @@
line: '#sh /usr/share/scripts/zzz_evobackup'
owner: root
mode: "0644"
create: yes
create: true
tags:
- evobackup

9
roles/base/tasks/evomaintenance.yml
View file

@ -10,7 +10,12 @@
- evomaintenance
- name: Copy evomaintenance script and template
copy: src={{ item.src }} dest={{ item.dest }} owner=root group=wheel mode="0755"
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: 'root'
group: 'wheel'
mode: '0755'
with_items:
- {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'}
- {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'}
@ -25,6 +30,6 @@
owner: root
group: wheel
mode: "0600"
backup: no
backup: false
tags:
- evomaintenance

7
roles/base/tasks/mail.yml
View file

@ -2,8 +2,9 @@
- name: Configure rc.local
lineinfile:
path: /etc/rc.local
line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
create: yes
line:
'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}'
create: true
tags:
- misc
@ -12,7 +13,7 @@
dest: /etc/mail/aliases
regexp: "# root:"
replace: "root: {{ general_alert_email }}"
backup: no
backup: false
notify:
- newaliases
tags:

2
roles/base/tasks/packages.yml
View file

@ -23,7 +23,7 @@
- name: Disable sndiod
service:
name: sndiod
enabled: no
enabled: false
state: stopped
tags:
- pkg

6
roles/base/tasks/sudo.yml
View file

@ -6,7 +6,7 @@
insertafter: '# and set environment variables.'
line: '%wheel ALL=(ALL) SETENV: ALL'
validate: 'visudo -cf %s'
backup: no
backup: false
tags:
- sudo
@ -19,8 +19,6 @@
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh
%wheel ALL=NOPASSWD: MAINT
validate: 'visudo -cf %s'
backup: no
backup: false
tags:
- sudo

4
roles/bgp/tasks/main.yml
View file

@ -29,7 +29,9 @@
minute: 0
hour: 4
weekday: 0
job: "/usr/sbin/bgpctl show rib selected > /var/log/bgp/rib-selected-$(date +\\%F)"
job: >
/usr/sbin/bgpctl show rib selected
> /var/log/bgp/rib-selected-$(date +\\%F)
when: group_names | select('search','bgp') | list | count > 0
tags:
- bgp

2
roles/etc-git/defaults/main.yml
View file

@ -1,4 +1,4 @@
---
commit_message: Ansible run
etc_git_monitor_status: True
etc_git_monitor_status: true

30
roles/etc-git/tasks/commit.yml
View file

@ -3,10 +3,10 @@
command: git status --porcelain
args:
chdir: /etc
changed_when: False
changed_when: false
register: git_status
when: not ansible_check_mode
ignore_errors: yes
ignore_errors: true
tags:
- etc-git
- commit-etc
@ -24,26 +24,42 @@
repo: /etc
scope: local
register: git_config_user_email
ignore_errors: yes
ignore_errors: true
tags:
- etc-git
- commit-etc
- name: set commit author
set_fact:
commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
commit_email: '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
commit_author: >
{% if ansible_env.SUDO_USER is not defined %}
root
{% else %}
{{ ansible_env.SUDO_USER }}
{% endif %}
commit_email: >
{% if git_config_user_email.config_value is not defined
or git_config_user_email.config_value == "" %}
root@localhost
{% else %}
{{ git_config_user_email.config_value }}
{% endif %}
tags:
- etc-git
- commit-etc
- name: /etc modifications are committed
shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
shell: >
git add -A .
&& git commit
-m "{{ commit_message | mandatory }}"
--author
"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>"
args:
chdir: /etc
register: etc_commit_end_run
when: not ansible_check_mode and git_status.stdout != ""
ignore_errors: yes
ignore_errors: true
tags:
- etc-git
- commit-etc

35
roles/etc-git/tasks/main.yml
View file

@ -12,7 +12,7 @@
args:
chdir: /etc
creates: /etc/.git/
warn: no
warn: false
register: git_init
tags:
- etc-git
@ -48,11 +48,11 @@
command: "git log"
args:
chdir: /etc
warn: no
changed_when: False
failed_when: False
warn: false
changed_when: false
failed_when: false
register: git_log
check_mode: no
check_mode: false
tags:
- etc-git
@ -60,7 +60,7 @@
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
args:
chdir: /etc
warn: no
warn: false
register: git_commit
when: git_log.rc != 0 or (git_init is defined and git_init.changed)
tags:
@ -72,7 +72,7 @@
line: '/usr/local/bin/git --git-dir /etc/.git gc --quiet'
owner: root
mode: "0644"
create: yes
create: true
tags:
- etc-git
@ -82,7 +82,7 @@
line: "{{ item }}"
owner: root
mode: "0644"
create: yes
create: true
when: etc_git_monitor_status
tags:
- etc-git
@ -93,7 +93,8 @@
- name: cron job for /etc/.git status is removed
lineinfile:
path: /etc/daily.local
line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
line:
'/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short'
owner: root
mode: "0644"
state: absent
@ -105,7 +106,13 @@
cron:
name: git status
minute: 42
job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
job: >
who
> /dev/null
|| /usr/local/bin/git
--git-dir=/etc/.git
--work-tree=/etc
status --short
when: etc_git_monitor_status
tags:
- etc-git
@ -114,7 +121,13 @@
cron:
name: git status
minute: 42
job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short"
job: >
who
> /dev/null
|| /usr/local/bin/git
--git-dir=/etc/.git
--work-tree=/etc
status --short
state: absent
when: not etc_git_monitor_status
tags:

6
roles/evocheck/tasks/exec.yml
View file

@ -2,9 +2,9 @@
- name: run evocheck
command: "{{ evocheck_bin_dir }}/evocheck.sh"
register: evocheck_run
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
tags:
- evocheck-exec

6
roles/evocheck/tasks/install.yml
View file

@ -15,7 +15,7 @@
dest: "{{ evocheck_bin_dir }}/evocheck.sh"
mode: "0700"
owner: root
force: yes
force: true
tags:
- evocheck
@ -23,7 +23,7 @@
copy:
src: evocheck.cf
dest: /etc/evocheck.cf
force: no
force: false
tags:
- evocheck
@ -33,6 +33,6 @@
line: 'sh /usr/share/scripts/evocheck.sh --verbose --cron'
owner: root
mode: "0644"
create: yes
create: true
tags:
- evocheck

4
roles/forwarding/tasks/main.yml
View file

@ -4,7 +4,7 @@
name: net.inet.ip.forwarding
value: 1
state: present
reload: yes
reload: true
tags:
- net
@ -13,6 +13,6 @@
name: net.inet6.ip6.forwarding
value: 1
state: present
reload: yes
reload: true
tags:
- net

3
roles/nagios-nrpe/defaults/main.yml
View file

@ -2,7 +2,8 @@
evolix_trusted_ips: []
additional_trusted_ips: []
# Let's merge evolix_trusted_ips with additional_trusted_ips
nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
nagios_nrpe_allowed_hosts:
"{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
nagios_nrpe_ldap_passwd: LDAP_PASSWD
nagios_nrpe_pgsql_passwd: PGSQL_PASSWD

2
roles/nagios-nrpe/tasks/main.yml
View file

@ -54,5 +54,5 @@
- name: Starting and enabling nrpe
service:
name: nrpe
enabled: yes
enabled: true
state: started

21
roles/openvpn/tasks/main.yml
View file

@ -27,7 +27,7 @@
- name: Enabling OpenVPN
service:
name: openvpn
enabled: yes
enabled: true
tags:
- openvpn
@ -39,9 +39,8 @@
- name: Create shellpki user
user:
name: "_shellpki"
system: yes
system: true
state: present
system: yes
home: "/etc/shellpki/"
shell: "/sbin/nologin"
tags:
@ -54,10 +53,14 @@
owner: root
group: wheel
mode: "{{ item.mode }}"
force: yes
force: true
with_items:
- { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
- { src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755' }
- src: 'files/shellpki/openssl.cnf'
dest: '/etc/shellpki/openssl.cnf'
mode: '0640'
- src: 'files/shellpki/shellpki'
dest: '/usr/local/sbin/shellpki'
mode: '0755'
tags:
- openvpn
@ -103,8 +106,10 @@
owner: root
group: wheel
mode: "{{ item.mode }}"
force: yes
force: true
with_items:
- { src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755' }
- src: 'files/check_openvpn.pl'
dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl'
mode: '0755'
tags:
- openvpn

2
roles/pf/tasks/main.yml
View file

@ -4,4 +4,4 @@
src: pf.conf.j2
dest: /etc/pf.conf
mode: "0600"
backup: yes
backup: true

16
tasks/commit_etc_git.yml
View file

@ -3,19 +3,25 @@
command: git status --porcelain
args:
chdir: /etc
changed_when: False
changed_when: false
register: git_status
when: not ansible_check_mode
ignore_errors: yes
ignore_errors: true
tags:
- commit-etc
# yamllint disable rule:line-length
- name: /etc modifications are committed
shell: "git add -A . && git commit -m \"{{ commit_message | default('Ansible run') }}\" --author=\"{{ ansible_env.SUDO_USER | default('Root') }} <{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>\""
shell: >
git add -A .
&& git commit
-m "{{ commit_message | default('Ansible run') }}"
--author="{{ ansible_env.SUDO_USER | default('Root') }}"
< "{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>"
args:
chdir: /etc
register: etc_commit_end_evolinux
when: not ansible_check_mode and git_status.stdout != ""
ignore_errors: yes
ignore_errors: true
tags:
- commit-etc
# yamllint enable rule:line-length

6
vars/main.yml
View file

@ -13,8 +13,10 @@ evolinux_sudo_group: "evolinux-sudo"
evolinux_root_disable_ssh: true
#
# evomaintenance_realm: "example.com"
#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
#evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
# evomaintenance_alert_email:
# "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}"
# evomaintenance_hostname:
# "{{ inventory_hostname }}.{{ general_technical_realm }}"
# evomaintenance_pg_host: Null
# evomaintenance_pg_passwd: Null
# evomaintenance_pg_db: Null