evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

evolinux-base: add conditions for most of tasks

Browse source
This commit is contained in:
Jérémy Lecour 2017-01-03 16:37:23 +01:00 committed by Jérémy Lecour
parent 475ccf3bd1
commit 130e1f2b0e
14 changed files with 183 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
evolinux-base/README.md
View file

@ -19,11 +19,11 @@ Various tasks for Evolinux setup.
* `provider_online` :
* `provider_orange_fce` :
Each task file is included in the `main.yml` file with a condition based on a variable like `evolinux_tasks_hostname` (mostly `True` by default). The variables can be set to `False` to disable groups of tasks. Finer grained tasks disabling is done in each group of tasks.
## Available variables
Main variables are :
Each tasks group is included in the `main.yml` file with a condition based on a variable like `evolinux_hostname_include` (mostly `True` by default). The variables can be set to `False` to disable a . Finer grained tasks disabling is done in each group of tasks.
Main variables are:
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
* `apt_alert_email`: email address to send APT messages to (default: `general_alert_email`).

97
evolinux-base/defaults/main.yml
View file

@ -11,7 +11,10 @@ postfix_alias_email: Null
# hostname
evolinux_tasks_hostname: True
evolinux_hostname_include: True
evolinux_hostname_hosts: True
evolinux_hostname_mailname: True
evolinux_hostname: "{{ ansible_hostname }}"
evolinux_domain: "{{ ansible_domain }}"
@ -20,7 +23,7 @@ evolinux_internal_hostname: "{{ evolinux_hostname }}"
# kernel
evolinux_tasks_kernel: True
evolinux_kernel_include: True
evolinux_kernel_reboot_after_panic: True
evolinux_kernel_disable_tcp_timestamps: True
@ -29,65 +32,115 @@ evolinux_kernel_cve20165696: True
# apt
evolinux_tasks_apt: True
evolinux_apt_include: True
evolinux_apt_upgrade: True
evolinux_apt_repositories_components: "main"
evolinux_apt_conf: True
evolinux_apt_hooks: True
evolinux_apt_disable_originals: True
evolinux_apt_disable_debsrc: True
evolinux_apt_basic_sources: True
evolinux_apt_public_sources: True
evolinux_apt_upgrade: True
evolinux_apt_remove_aptitude: True
evolinux_apt_repositories_components: "main"
# fstab
evolinux_tasks_fstab: True
evolinux_fstab_include: True
evolinux_fstab_var_tmp: True
# packages
evolinux_tasks_packages: True
evolinux_packages_include: True
evolinux_delete_nfs: True
evolinux_packages_system: True
evolinux_packages_diagnostic: True
evolinux_packages_hardware: True
evolinux_packages_common: True
evolinux_packages_serveur_base: True
evolinux_packages_invalid_mta: True
evolinux_packages_delete_nfs: True
evolinux_packages_listchanges: True
# system
evolinux_tasks_system: True
evolinux_system_include: True
evolinux_ntp_server: Null
evolinux_timezone: "Europe/Paris"
evolinux_system_chmod_tmp: True
evolinux_system_locales: True
evolinux_system_timezone: "Europe/Paris"
evolinux_system_vim_default: True
evolinux_system_profile: True
evolinux_system_dirmode_adduser: True
evolinux_system_alert5_init: True
evolinux_system_alert5_enable: True
evolinux_system_eni_auto: True
evolinux_system_ntp_server: False
# root
evolinux_tasks_root: True
evolinux_root_include: True
evolinux_root_chmod: True
evolinux_root_bashrc: True
evolinux_root_bash_history: True
evolinux_root_umask: True
evolinux_root_gitconfig: True
evolinux_root_bash_history_appendonly: True
evolinux_root_vim_default: True
evolinux_root_vim_conf: True
# ssh
evolinux_tasks_ssh: True
evolinux_ssh_include: True
evolinux_ssh_password_auth_addresses: []
evolinux_ssh_match_address: True
evolinux_ssh_disable_root: True
evolinux_ssh_disable_acceptenv: True
# postfix
evolinux_tasks_postfix: True
evolinux_postfix_include: True
evolinux_postfix_packages: True
evolinux_postfix_users_alias_root: True
evolinux_postfix_mailer_alias_root: True
evolinux_postfix_root_alias: True
evolinux_postfix_purge_exim: True
# logs
evolinux_tasks_logs: True
evolinux_logs_include: True
evolinux_logs_logrotate_confs: True
evolinux_logs_default_rotate: True
evolinux_logs_disable_logrotate_rsyslog: True
evolinux_logs_rsyslog_conf: True
# default www
evolinux_tasks_default_www: True
evolinux_default_www_include: True
evolinux_default_www_files: True
evolinux_default_www_ssl_cert: True
evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}"
evolinux_default_www_nginx_vhost: True
evolinux_default_www_nginx_enabled: False
evolinux_default_www_apache_vhost: True
evolinux_default_www_apache_enabled: False
evolinux_default_www_redirect_url: "http://evolix.fr"
evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}"
evolinux_default_www_nginx_enabled: False
evolinux_default_www_apache_enabled: False
# hardware
evolinux_tasks_hardware: True
evolinux_hardware_include: True
# providers
evolinux_tasks_provider_online: False
evolinux_tasks_provider_orange_fce: False
evolinux_provider_online_include: False
evolinux_provider_orange_fce_include: False

0
evolinux-base/templates/apt/evolix_public.list.j2 → evolinux-base/files/apt/evolix_public.list
View file

9
evolinux-base/tasks/apt.yml
View file

@ -10,6 +10,7 @@
with_items:
- "APT::Install-Recommends \"0\";"
- "APT::Install-Suggests \"0\";"
when: evolinux_apt_conf
- name: DPKg invoke hooks
lineinfile:
@ -31,12 +32,14 @@
with_items:
# - '.+\.debian\.org'
- 'cdrom:'
when: evolinux_apt_disable_originals
- name: deb-src repositories are disabled
replace:
dest: /etc/apt/sources.list
regexp: '^(deb-src.+)'
replace: '# \1'
when: evolinux_apt_disable_debsrc
- name: Basic sources list is installed
lineinfile:
@ -46,14 +49,16 @@
- "deb http://security.debian.org/ jessie/updates {{ evolinux_apt_repositories_components | mandatory }}"
- "deb http://mirror.evolix.org/debian/ jessie {{ evolinux_apt_repositories_components | mandatory }}"
- "deb http://mirror.evolix.org/debian/ jessie-updates {{ evolinux_apt_repositories_components | mandatory }}"
when: evolinux_apt_basic_sources
- name: Evolix public list is installed
template:
src: apt/evolix_public.list.j2
copy:
src: apt/evolix_public.list
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
backup: yes
mode: 0640
when: evolinux_apt_public_sources
- name: Remove Aptitude
apt:

56
evolinux-base/tasks/default_www.yml
View file

@ -4,6 +4,7 @@
path: /var/www
state: directory
mode: 0755
when: evolinux_default_www_files
- name: images are copied
copy:
@ -12,37 +13,40 @@
mode: 0755
directory_mode: 0755
follow: yes
when: evolinux_default_www_files
- name: index is copied
template:
src: default_www/index.html.j2
dest: /var/www/index.html
mode: 0755
when: evolinux_default_www_files
# SSL cert
- name: ssl-cert package is installed
apt:
name: ssl-cert
state: installed
- block:
- name: ssl-cert package is installed
apt:
name: ssl-cert
state: installed
- name: Create private key and csr for default site ({{ ansible_fqdn }})
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}"
args:
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
- name: Create private key and csr for default site ({{ ansible_fqdn }})
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}"
args:
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
- name: Adjust rights on private key
file:
path: /etc/ssl/private/{{ ansible_fqdn }}.key
owner: root
group: ssl-cert
mode: 0640
- name: Create certificate for default site
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
args:
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
- name: Adjust rights on private key
file:
path: /etc/ssl/private/{{ ansible_fqdn }}.key
owner: root
group: ssl-cert
mode: 0640
- name: Create certificate for default site
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
args:
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
when: evolinux_default_www_ssl_cert
# Nginx vhost
@ -60,8 +64,7 @@
# force: yes
notify: reload nginx
tags:
- nginx
- nginx
- name: nginx vhost is enabled
file:
@ -71,9 +74,9 @@
notify: reload nginx
when: evolinux_default_www_nginx_enabled
tags:
- nginx
- nginx
when: nginx_sites_available.stat.exists
when: evolinux_default_www_nginx_vhost and nginx_sites_available.stat.exists
# Apache vhost
@ -92,8 +95,7 @@
# force: yes
notify: reload apache
tags:
- apache
- apache
- name: Apache vhost is enabled
file:
@ -103,6 +105,6 @@
notify: reload apache
when: evolinux_default_www_apache_enabled
tags:
- apache
- apache
when: apache_sites_available.stat.exists
when: evolinux_default_www_apache_vhost and apache_sites_available.stat.exists

1
evolinux-base/tasks/fstab.yml
View file

@ -49,5 +49,6 @@
fstype: tmpfs
opts: defaults,noexec,nosuid,nodev,size=1024m
state: mounted
when: evolinux_fstab_var_tmp
- meta: flush_handlers

12
evolinux-base/tasks/hostname.yml
View file

@ -8,6 +8,7 @@
dest: /etc/hosts
regexp: '^127.0.0.1(\s+)localhost.*$'
replace: '127.0.0.1\1localhost.localdomain localhost'
when: evolinux_hostname_hosts
- name: Set ip+fqdn+hostname in /etc/hosts
lineinfile:
@ -15,30 +16,35 @@
regexp: '^{{ ansible_default_ipv4.address }}\s+'
line: "{{ ansible_default_ipv4.address }} {{ evolinux_fqdn }} {{ evolinux_hostname }}"
insertafter: '127.0.0.1\s+localhost.localdomain'
when: evolinux_hostname_hosts
- name: 127.0.1.1 is removed
lineinfile:
dest: /etc/hosts
regexp: '^127.0.1.1\s+'
state: absent
when: evolinux_hostname_hosts
- name: /etc/mailname is up-to-date
copy:
dest: /etc/mailname
content: "{{ evolinux_fqdn }}\n"
force: yes
when: evolinux_hostname_mailname
- name: override ansible_hostname fact
# Override facts
- name: Override ansible_hostname fact
set_fact:
ansible_hostname: "{{ evolinux_hostname }}"
when: ansible_hostname != evolinux_hostname
- name: override ansible_domain fact
- name: Override ansible_domain fact
set_fact:
ansible_domain: "{{ evolinux_domain }}"
when: ansible_domain != evolinux_domain
- name: override ansible_fqdn fact
- name: Override ansible_fqdn fact
set_fact:
ansible_fqdn: "{{ evolinux_fqdn }}"
when: ansible_fqdn != evolinux_fqdn

4
evolinux-base/tasks/logs.yml
View file

@ -8,6 +8,7 @@
dest: /etc/rsyslog.conf
mode: 0644
notify: restart rsyslog
when: evolinux_logs_rsyslog_conf
- name: Disable logrotate default conf
command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
@ -15,14 +16,17 @@
removes: /etc/logrotate.d/rsyslog
creates: /etc/logrotate.d/rsyslog.disabled
notify: restart rsyslog
when: evolinux_logs_disable_logrotate_rsyslog
- name: Copy many logrotate files
copy:
src: logs/logrotate.d/
dest: /etc/logrotate.d/
when: evolinux_logs_logrotate_confs
- name: Configure logrotate.conf
replace:
dest: /etc/logrotate.conf
regexp: "rotate [0-9]*"
replace: "rotate 12"
when: evolinux_logs_default_rotate

28
evolinux-base/tasks/main.yml
View file

@ -1,56 +1,56 @@
---
- name: Hostname
include: hostname.yml
when: evolinux_tasks_hostname
when: evolinux_hostname_include
- name: Kernel tuning
include: kernel.yml
when: evolinux_tasks_kernel
when: evolinux_kernel_include
- name: Apt configuration and packages install
include: apt.yml
when: evolinux_tasks_apt
when: evolinux_apt_include
- name: Fstab configuration
include: fstab.yml
when: evolinux_tasks_fstab
when: evolinux_fstab_include
- name: Packages
include: packages.yml
when: evolinux_tasks_packages
when: evolinux_packages_include
- name: System settings
include: system.yml
when: evolinux_tasks_system
when: evolinux_system_include
- name: Root user configuration
include: root.yml
when: evolinux_tasks_root
when: evolinux_root_include
- name: SSH configuration
include: ssh.yml
when: evolinux_tasks_ssh
when: evolinux_ssh_include
- name: Postfix
include: postfix.yml
when: evolinux_tasks_postfix
when: evolinux_postfix_include
- name: Logs management
include: logs.yml
when: evolinux_tasks_logs
when: evolinux_logs_include
- name: Default index page
include: default_www.yml
when: evolinux_tasks_default_www
when: evolinux_default_www_include
- name: Hardware drivers and tools
include: hardware.yml
when: evolinux_tasks_hardware
when: evolinux_hardware_include
- name: Customize for Online.net
include: provider_online.yml
when: evolinux_tasks_provider_online
when: evolinux_provider_online_include
- name: Customize for Orange FCE
include: provider_orange_fce.yml
when: evolinux_tasks_provider_orange_fce
when: evolinux_provider_orange_fce_include

12
evolinux-base/tasks/packages.yml
View file

@ -13,6 +13,7 @@
- pv
- apg
- conntrack
when: evolinux_packages_system
- name: Install/Update diagnostic tools
apt:
@ -26,6 +27,7 @@
- iotop
- tcpdump
- mtr-tiny
when: evolinux_packages_diagnostic
- name: Install/Update hardware tools
apt:
@ -34,7 +36,7 @@
- hdparm
- smartmontools
- lm-sensors
when: evolinux_packages_hardware
- name: Install/Update common tools
apt:
@ -50,12 +52,13 @@
- rsync
- bc
- pinentry-curses
when: evolinux_packages_common
- name: Install/Update serveur-base meta-package
command: "apt-get install -yq --allow-unauthenticated serveur-base"
register: install_server_base
changed_when: not (install_server_base.stdout | search("0 upgraded") and install_server_base.stdout | search("0 newly installed"))
when: evolinux_packages_serveur_base
- name: is an MTA installed?
command: "dpkg -S /usr/sbin/sendmail"
@ -66,7 +69,7 @@
- name: Install lsb-invalid-mta
apt:
name: lsb-invalid-mta
when: mta_installed.rc != 0
when: evolinux_packages_invalid_mta and mta_installed.rc != 0
- name: Deleting rpcbin and nfs-common
@ -76,7 +79,7 @@
with_items:
- rpcbind
- nfs-common
when: evolinux_delete_nfs
when: evolinux_packages_delete_nfs
# TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes)
@ -89,3 +92,4 @@
with_items:
- { option: "confirm", value: "1" }
- { option: "which", value: "both" }
when: evolinux_packages_listchanges

5
evolinux-base/tasks/postfix.yml
View file

@ -7,6 +7,7 @@
with_items:
- postfix
- mailgraph
when: evolinux_postfix_packages
tags:
- packages
- postfix
@ -25,6 +26,7 @@
line: "{{ item }}: root"
with_items: "{{ non_root_users_list.stdout_lines }}"
notify: newaliases
when: evolinux_postfix_users_alias_root
tags:
- postfix
@ -38,6 +40,7 @@
- abuse
- mailer-daemon
notify: newaliases
when: evolinux_postfix_mailer_alias_root
tags:
- postfix
@ -47,6 +50,7 @@
regexp: "^root:"
line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}"
notify: newaliases
when: evolinux_postfix_root_alias
tags:
- postfix
@ -66,4 +70,3 @@
tags:
- packages
- postfix

23
evolinux-base/tasks/root.yml
View file

@ -5,8 +5,7 @@
path: /root
state: directory
mode: 0700
tags:
- root
when: evolinux_root_chmod
- name: "Customize root's bashrc..."
lineinfile:
@ -18,8 +17,7 @@
- "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth"
- "export HISTSIZE=65535"
- "export HISTTIMEFORMAT=\"%c : \""
tags:
- root
when: evolinux_root_bashrc
## .bash_history should be append-only
@ -28,38 +26,31 @@
content: ""
dest: "/root/.bash_history"
force: no
tags:
- root
when: evolinux_root_bash_history
- name: Set umask in /root/.profile
lineinfile:
dest: "/root/.profile"
line: "umask 0077"
regexp: "umask [0-9]+"
tags:
- root
when: evolinux_root_umask
- name: Custom git config for root
copy:
src: root/gitconfig
dest: "/root/.gitconfig"
force: no
tags:
- root
when: evolinux_root_gitconfig
- name: Is .bash_history append-only
shell: lsattr /root/.bash_history | grep -E "^.*a.* "
register: bash_history_append_only
failed_when: False
changed_when: False
tags:
- root
- name: Set .bash_history append-only
command: chattr +a /root/.bash_history
when: bash_history_append_only.rc != 0
tags:
- root
when: evolinux_root_bash_history_appendonly and bash_history_append_only.rc != 0
- name: Setting vim as selected-editor
lineinfile:
@ -67,6 +58,7 @@
regexp: '^SELECTED_EDITOR='
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
create: yes
when: evolinux_root_vim_default
- name: Setting vim root configuration
lineinfile:
@ -83,3 +75,4 @@
- "set softtabstop=0"
- "set shiftwidth=4"
- "set smarttab"
when: evolinux_root_vim_conf

5
evolinux-base/tasks/ssh.yml
View file

@ -11,7 +11,7 @@
line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes"
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
- name: Modify Match Address sshd directive
replace:
@ -21,7 +21,7 @@
validate: '/usr/sbin/sshd -T -f %s'
with_items: "{{ evolinux_ssh_password_auth_addresses }}"
notify: reload sshd
when: grep_matchaddress_ssh.rc == 0
when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0
- name: disable SSH access for root
replace:
@ -35,3 +35,4 @@
dest: /etc/ssh/sshd_config
regexp: '^AcceptEnv'
replace: "#AcceptEnv"
when: evolinux_ssh_disable_acceptenv

23
evolinux-base/tasks/system.yml
View file

@ -12,6 +12,7 @@
path: /tmp
state: directory
mode: 01777
when: evolinux_system_chmod_tmp
- name: Setting default locales
lineinfile:
@ -24,23 +25,25 @@
- "fr_FR ISO-8859-1"
- "fr_FR.UTF-8 UTF-8"
register: default_locales
when: evolinux_system_locales
- name: Reconfigure locales
command: /usr/sbin/locale-gen
when: default_locales | changed
when: evolinux_system_locales and default_locales | changed
- name: Setting default timezone
lineinfile:
dest: /etc/timezone
regexp: '^\w+/\w+$'
line: "{{ evolinux_timezone | mandatory }}"
line: "{{ evolinux_system_timezone | mandatory }}"
insertbefore: BOF
create: yes
register: change_timezone
when: evolinux_system_timezone != False
- name: Reconfigure tzdata
command: dpkg-reconfigure --frontend noninteractive tzdata
when: change_timezone | changed
when: evolinux_system_timezone != False and change_timezone | changed
# TODO : find a way to force the console-data configuration
# non-interactively (like tzdata ↑)
@ -49,6 +52,7 @@
alternatives:
name: editor
path: /usr/bin/vim.basic
when: evolinux_system_vim_default
- name: Add "umask 027" to /etc/profile.d/evolinux.sh
lineinfile:
@ -56,12 +60,14 @@
line: "umask 027"
create: yes
state: present
when: evolinux_system_profile
- name: Set /etc/adduser.conf DIR_MODE to 0700
replace:
dest: /etc/adduser.conf
regexp: "^DIR_MODE=.*$"
replace: "DIR_MODE=0700"
when: evolinux_system_dirmode_adduser
# TODO: trouver comment ne pas faire ça sur Xen Dom-U
@ -71,12 +77,14 @@
line: "tty2"
create: yes
state: present
when: evolinux_system_dirmode_adduser
- name: Setting TMOUT to deconnect inactive users
lineinfile:
dest: /etc/profile
line: "export TMOUT=36000"
state: present
when: evolinux_system_dirmode_adduser
#- name: Customizing /etc/fstab
@ -86,6 +94,7 @@
line: "umask 022"
create: yes
state: present
when: evolinux_system_dirmode_adduser
- name: Randomize periodic crontabs
replace:
@ -98,6 +107,7 @@
- {regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"}
- {regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"}
- {regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"}
when: evolinux_system_dirmode_adduser
# NTP server address
@ -105,9 +115,9 @@
replace:
dest: /etc/ntp.conf
regexp: "^server .*$"
replace: "server {{ evolinux_ntp_server }}"
replace: "server {{ evolinux_system_ntp_server }}"
backup: yes
when: evolinux_ntp_server | default(False)
when: evolinux_system_ntp_server != False
## alert5
@ -117,11 +127,13 @@
dest: /etc/init.d/alert5
force: no
mode: 0755
when: evolinux_system_alert5_init
- name: Enable alert5 init script
service:
name: alert5
enabled: yes
when: evolinux_system_alert5_init and evolinux_system_alert5_enable
## network interfaces
@ -131,3 +143,4 @@
regexp: "allow-hotplug"
replace: "auto"
backup: yes
when: evolinux_system_eni_auto