evolinux-base: add conditions for most of tasks
This commit is contained in:
parent
475ccf3bd1
commit
130e1f2b0e
|
@ -19,11 +19,11 @@ Various tasks for Evolinux setup.
|
|||
* `provider_online` :
|
||||
* `provider_orange_fce` :
|
||||
|
||||
Each task file is included in the `main.yml` file with a condition based on a variable like `evolinux_tasks_hostname` (mostly `True` by default). The variables can be set to `False` to disable groups of tasks. Finer grained tasks disabling is done in each group of tasks.
|
||||
|
||||
## Available variables
|
||||
|
||||
Main variables are :
|
||||
Each tasks group is included in the `main.yml` file with a condition based on a variable like `evolinux_hostname_include` (mostly `True` by default). The variables can be set to `False` to disable a . Finer grained tasks disabling is done in each group of tasks.
|
||||
|
||||
Main variables are:
|
||||
|
||||
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
|
||||
* `apt_alert_email`: email address to send APT messages to (default: `general_alert_email`).
|
||||
|
|
|
@ -11,7 +11,10 @@ postfix_alias_email: Null
|
|||
|
||||
# hostname
|
||||
|
||||
evolinux_tasks_hostname: True
|
||||
evolinux_hostname_include: True
|
||||
|
||||
evolinux_hostname_hosts: True
|
||||
evolinux_hostname_mailname: True
|
||||
|
||||
evolinux_hostname: "{{ ansible_hostname }}"
|
||||
evolinux_domain: "{{ ansible_domain }}"
|
||||
|
@ -20,7 +23,7 @@ evolinux_internal_hostname: "{{ evolinux_hostname }}"
|
|||
|
||||
# kernel
|
||||
|
||||
evolinux_tasks_kernel: True
|
||||
evolinux_kernel_include: True
|
||||
|
||||
evolinux_kernel_reboot_after_panic: True
|
||||
evolinux_kernel_disable_tcp_timestamps: True
|
||||
|
@ -29,65 +32,115 @@ evolinux_kernel_cve20165696: True
|
|||
|
||||
# apt
|
||||
|
||||
evolinux_tasks_apt: True
|
||||
evolinux_apt_include: True
|
||||
|
||||
evolinux_apt_upgrade: True
|
||||
evolinux_apt_repositories_components: "main"
|
||||
evolinux_apt_conf: True
|
||||
evolinux_apt_hooks: True
|
||||
evolinux_apt_disable_originals: True
|
||||
evolinux_apt_disable_debsrc: True
|
||||
evolinux_apt_basic_sources: True
|
||||
evolinux_apt_public_sources: True
|
||||
evolinux_apt_upgrade: True
|
||||
evolinux_apt_remove_aptitude: True
|
||||
|
||||
evolinux_apt_repositories_components: "main"
|
||||
|
||||
# fstab
|
||||
|
||||
evolinux_tasks_fstab: True
|
||||
evolinux_fstab_include: True
|
||||
|
||||
evolinux_fstab_var_tmp: True
|
||||
|
||||
# packages
|
||||
|
||||
evolinux_tasks_packages: True
|
||||
evolinux_packages_include: True
|
||||
|
||||
evolinux_delete_nfs: True
|
||||
evolinux_packages_system: True
|
||||
evolinux_packages_diagnostic: True
|
||||
evolinux_packages_hardware: True
|
||||
evolinux_packages_common: True
|
||||
evolinux_packages_serveur_base: True
|
||||
evolinux_packages_invalid_mta: True
|
||||
evolinux_packages_delete_nfs: True
|
||||
evolinux_packages_listchanges: True
|
||||
|
||||
# system
|
||||
|
||||
evolinux_tasks_system: True
|
||||
evolinux_system_include: True
|
||||
|
||||
evolinux_ntp_server: Null
|
||||
evolinux_timezone: "Europe/Paris"
|
||||
evolinux_system_chmod_tmp: True
|
||||
evolinux_system_locales: True
|
||||
evolinux_system_timezone: "Europe/Paris"
|
||||
evolinux_system_vim_default: True
|
||||
evolinux_system_profile: True
|
||||
evolinux_system_dirmode_adduser: True
|
||||
evolinux_system_alert5_init: True
|
||||
evolinux_system_alert5_enable: True
|
||||
evolinux_system_eni_auto: True
|
||||
evolinux_system_ntp_server: False
|
||||
|
||||
# root
|
||||
|
||||
evolinux_tasks_root: True
|
||||
evolinux_root_include: True
|
||||
|
||||
evolinux_root_chmod: True
|
||||
evolinux_root_bashrc: True
|
||||
evolinux_root_bash_history: True
|
||||
evolinux_root_umask: True
|
||||
evolinux_root_gitconfig: True
|
||||
evolinux_root_bash_history_appendonly: True
|
||||
evolinux_root_vim_default: True
|
||||
evolinux_root_vim_conf: True
|
||||
|
||||
# ssh
|
||||
|
||||
evolinux_tasks_ssh: True
|
||||
evolinux_ssh_include: True
|
||||
|
||||
evolinux_ssh_password_auth_addresses: []
|
||||
evolinux_ssh_match_address: True
|
||||
evolinux_ssh_disable_root: True
|
||||
evolinux_ssh_disable_acceptenv: True
|
||||
|
||||
# postfix
|
||||
|
||||
evolinux_tasks_postfix: True
|
||||
evolinux_postfix_include: True
|
||||
|
||||
evolinux_postfix_packages: True
|
||||
evolinux_postfix_users_alias_root: True
|
||||
evolinux_postfix_mailer_alias_root: True
|
||||
evolinux_postfix_root_alias: True
|
||||
evolinux_postfix_purge_exim: True
|
||||
|
||||
# logs
|
||||
|
||||
evolinux_tasks_logs: True
|
||||
evolinux_logs_include: True
|
||||
|
||||
evolinux_logs_logrotate_confs: True
|
||||
evolinux_logs_default_rotate: True
|
||||
evolinux_logs_disable_logrotate_rsyslog: True
|
||||
evolinux_logs_rsyslog_conf: True
|
||||
|
||||
# default www
|
||||
|
||||
evolinux_tasks_default_www: True
|
||||
evolinux_default_www_include: True
|
||||
|
||||
evolinux_default_www_files: True
|
||||
evolinux_default_www_ssl_cert: True
|
||||
evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}"
|
||||
|
||||
evolinux_default_www_nginx_vhost: True
|
||||
evolinux_default_www_nginx_enabled: False
|
||||
|
||||
evolinux_default_www_apache_vhost: True
|
||||
evolinux_default_www_apache_enabled: False
|
||||
|
||||
evolinux_default_www_redirect_url: "http://evolix.fr"
|
||||
evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}"
|
||||
evolinux_default_www_nginx_enabled: False
|
||||
evolinux_default_www_apache_enabled: False
|
||||
|
||||
# hardware
|
||||
|
||||
evolinux_tasks_hardware: True
|
||||
evolinux_hardware_include: True
|
||||
|
||||
# providers
|
||||
|
||||
evolinux_tasks_provider_online: False
|
||||
evolinux_tasks_provider_orange_fce: False
|
||||
evolinux_provider_online_include: False
|
||||
evolinux_provider_orange_fce_include: False
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
with_items:
|
||||
- "APT::Install-Recommends \"0\";"
|
||||
- "APT::Install-Suggests \"0\";"
|
||||
when: evolinux_apt_conf
|
||||
|
||||
- name: DPKg invoke hooks
|
||||
lineinfile:
|
||||
|
@ -31,12 +32,14 @@
|
|||
with_items:
|
||||
# - '.+\.debian\.org'
|
||||
- 'cdrom:'
|
||||
when: evolinux_apt_disable_originals
|
||||
|
||||
- name: deb-src repositories are disabled
|
||||
replace:
|
||||
dest: /etc/apt/sources.list
|
||||
regexp: '^(deb-src.+)'
|
||||
replace: '# \1'
|
||||
when: evolinux_apt_disable_debsrc
|
||||
|
||||
- name: Basic sources list is installed
|
||||
lineinfile:
|
||||
|
@ -46,14 +49,16 @@
|
|||
- "deb http://security.debian.org/ jessie/updates {{ evolinux_apt_repositories_components | mandatory }}"
|
||||
- "deb http://mirror.evolix.org/debian/ jessie {{ evolinux_apt_repositories_components | mandatory }}"
|
||||
- "deb http://mirror.evolix.org/debian/ jessie-updates {{ evolinux_apt_repositories_components | mandatory }}"
|
||||
when: evolinux_apt_basic_sources
|
||||
|
||||
- name: Evolix public list is installed
|
||||
template:
|
||||
src: apt/evolix_public.list.j2
|
||||
copy:
|
||||
src: apt/evolix_public.list
|
||||
dest: /etc/apt/sources.list.d/evolix_public.list
|
||||
force: yes
|
||||
backup: yes
|
||||
mode: 0640
|
||||
when: evolinux_apt_public_sources
|
||||
|
||||
- name: Remove Aptitude
|
||||
apt:
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
path: /var/www
|
||||
state: directory
|
||||
mode: 0755
|
||||
when: evolinux_default_www_files
|
||||
|
||||
- name: images are copied
|
||||
copy:
|
||||
|
@ -12,37 +13,40 @@
|
|||
mode: 0755
|
||||
directory_mode: 0755
|
||||
follow: yes
|
||||
when: evolinux_default_www_files
|
||||
|
||||
- name: index is copied
|
||||
template:
|
||||
src: default_www/index.html.j2
|
||||
dest: /var/www/index.html
|
||||
mode: 0755
|
||||
when: evolinux_default_www_files
|
||||
|
||||
# SSL cert
|
||||
|
||||
- name: ssl-cert package is installed
|
||||
apt:
|
||||
name: ssl-cert
|
||||
state: installed
|
||||
- block:
|
||||
- name: ssl-cert package is installed
|
||||
apt:
|
||||
name: ssl-cert
|
||||
state: installed
|
||||
|
||||
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}"
|
||||
args:
|
||||
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
|
||||
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}"
|
||||
args:
|
||||
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
- name: Adjust rights on private key
|
||||
file:
|
||||
path: /etc/ssl/private/{{ ansible_fqdn }}.key
|
||||
owner: root
|
||||
group: ssl-cert
|
||||
mode: 0640
|
||||
|
||||
- name: Create certificate for default site
|
||||
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||
args:
|
||||
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
|
||||
- name: Adjust rights on private key
|
||||
file:
|
||||
path: /etc/ssl/private/{{ ansible_fqdn }}.key
|
||||
owner: root
|
||||
group: ssl-cert
|
||||
mode: 0640
|
||||
|
||||
- name: Create certificate for default site
|
||||
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||
args:
|
||||
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
|
||||
when: evolinux_default_www_ssl_cert
|
||||
|
||||
# Nginx vhost
|
||||
|
||||
|
@ -60,8 +64,7 @@
|
|||
# force: yes
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- nginx
|
||||
|
||||
- name: nginx vhost is enabled
|
||||
file:
|
||||
|
@ -71,9 +74,9 @@
|
|||
notify: reload nginx
|
||||
when: evolinux_default_www_nginx_enabled
|
||||
tags:
|
||||
- nginx
|
||||
- nginx
|
||||
|
||||
when: nginx_sites_available.stat.exists
|
||||
when: evolinux_default_www_nginx_vhost and nginx_sites_available.stat.exists
|
||||
|
||||
|
||||
# Apache vhost
|
||||
|
@ -92,8 +95,7 @@
|
|||
# force: yes
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- apache
|
||||
|
||||
- name: Apache vhost is enabled
|
||||
file:
|
||||
|
@ -103,6 +105,6 @@
|
|||
notify: reload apache
|
||||
when: evolinux_default_www_apache_enabled
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
when: apache_sites_available.stat.exists
|
||||
when: evolinux_default_www_apache_vhost and apache_sites_available.stat.exists
|
||||
|
|
|
@ -49,5 +49,6 @@
|
|||
fstype: tmpfs
|
||||
opts: defaults,noexec,nosuid,nodev,size=1024m
|
||||
state: mounted
|
||||
when: evolinux_fstab_var_tmp
|
||||
|
||||
- meta: flush_handlers
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
dest: /etc/hosts
|
||||
regexp: '^127.0.0.1(\s+)localhost.*$'
|
||||
replace: '127.0.0.1\1localhost.localdomain localhost'
|
||||
when: evolinux_hostname_hosts
|
||||
|
||||
- name: Set ip+fqdn+hostname in /etc/hosts
|
||||
lineinfile:
|
||||
|
@ -15,30 +16,35 @@
|
|||
regexp: '^{{ ansible_default_ipv4.address }}\s+'
|
||||
line: "{{ ansible_default_ipv4.address }} {{ evolinux_fqdn }} {{ evolinux_hostname }}"
|
||||
insertafter: '127.0.0.1\s+localhost.localdomain'
|
||||
when: evolinux_hostname_hosts
|
||||
|
||||
- name: 127.0.1.1 is removed
|
||||
lineinfile:
|
||||
dest: /etc/hosts
|
||||
regexp: '^127.0.1.1\s+'
|
||||
state: absent
|
||||
when: evolinux_hostname_hosts
|
||||
|
||||
- name: /etc/mailname is up-to-date
|
||||
copy:
|
||||
dest: /etc/mailname
|
||||
content: "{{ evolinux_fqdn }}\n"
|
||||
force: yes
|
||||
when: evolinux_hostname_mailname
|
||||
|
||||
- name: override ansible_hostname fact
|
||||
# Override facts
|
||||
|
||||
- name: Override ansible_hostname fact
|
||||
set_fact:
|
||||
ansible_hostname: "{{ evolinux_hostname }}"
|
||||
when: ansible_hostname != evolinux_hostname
|
||||
|
||||
- name: override ansible_domain fact
|
||||
- name: Override ansible_domain fact
|
||||
set_fact:
|
||||
ansible_domain: "{{ evolinux_domain }}"
|
||||
when: ansible_domain != evolinux_domain
|
||||
|
||||
- name: override ansible_fqdn fact
|
||||
- name: Override ansible_fqdn fact
|
||||
set_fact:
|
||||
ansible_fqdn: "{{ evolinux_fqdn }}"
|
||||
when: ansible_fqdn != evolinux_fqdn
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
dest: /etc/rsyslog.conf
|
||||
mode: 0644
|
||||
notify: restart rsyslog
|
||||
when: evolinux_logs_rsyslog_conf
|
||||
|
||||
- name: Disable logrotate default conf
|
||||
command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
|
||||
|
@ -15,14 +16,17 @@
|
|||
removes: /etc/logrotate.d/rsyslog
|
||||
creates: /etc/logrotate.d/rsyslog.disabled
|
||||
notify: restart rsyslog
|
||||
when: evolinux_logs_disable_logrotate_rsyslog
|
||||
|
||||
- name: Copy many logrotate files
|
||||
copy:
|
||||
src: logs/logrotate.d/
|
||||
dest: /etc/logrotate.d/
|
||||
when: evolinux_logs_logrotate_confs
|
||||
|
||||
- name: Configure logrotate.conf
|
||||
replace:
|
||||
dest: /etc/logrotate.conf
|
||||
regexp: "rotate [0-9]*"
|
||||
replace: "rotate 12"
|
||||
when: evolinux_logs_default_rotate
|
||||
|
|
|
@ -1,56 +1,56 @@
|
|||
---
|
||||
- name: Hostname
|
||||
include: hostname.yml
|
||||
when: evolinux_tasks_hostname
|
||||
when: evolinux_hostname_include
|
||||
|
||||
- name: Kernel tuning
|
||||
include: kernel.yml
|
||||
when: evolinux_tasks_kernel
|
||||
when: evolinux_kernel_include
|
||||
|
||||
- name: Apt configuration and packages install
|
||||
include: apt.yml
|
||||
when: evolinux_tasks_apt
|
||||
when: evolinux_apt_include
|
||||
|
||||
- name: Fstab configuration
|
||||
include: fstab.yml
|
||||
when: evolinux_tasks_fstab
|
||||
when: evolinux_fstab_include
|
||||
|
||||
- name: Packages
|
||||
include: packages.yml
|
||||
when: evolinux_tasks_packages
|
||||
when: evolinux_packages_include
|
||||
|
||||
- name: System settings
|
||||
include: system.yml
|
||||
when: evolinux_tasks_system
|
||||
when: evolinux_system_include
|
||||
|
||||
- name: Root user configuration
|
||||
include: root.yml
|
||||
when: evolinux_tasks_root
|
||||
when: evolinux_root_include
|
||||
|
||||
- name: SSH configuration
|
||||
include: ssh.yml
|
||||
when: evolinux_tasks_ssh
|
||||
when: evolinux_ssh_include
|
||||
|
||||
- name: Postfix
|
||||
include: postfix.yml
|
||||
when: evolinux_tasks_postfix
|
||||
when: evolinux_postfix_include
|
||||
|
||||
- name: Logs management
|
||||
include: logs.yml
|
||||
when: evolinux_tasks_logs
|
||||
when: evolinux_logs_include
|
||||
|
||||
- name: Default index page
|
||||
include: default_www.yml
|
||||
when: evolinux_tasks_default_www
|
||||
when: evolinux_default_www_include
|
||||
|
||||
- name: Hardware drivers and tools
|
||||
include: hardware.yml
|
||||
when: evolinux_tasks_hardware
|
||||
when: evolinux_hardware_include
|
||||
|
||||
- name: Customize for Online.net
|
||||
include: provider_online.yml
|
||||
when: evolinux_tasks_provider_online
|
||||
when: evolinux_provider_online_include
|
||||
|
||||
- name: Customize for Orange FCE
|
||||
include: provider_orange_fce.yml
|
||||
when: evolinux_tasks_provider_orange_fce
|
||||
when: evolinux_provider_orange_fce_include
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
- pv
|
||||
- apg
|
||||
- conntrack
|
||||
when: evolinux_packages_system
|
||||
|
||||
- name: Install/Update diagnostic tools
|
||||
apt:
|
||||
|
@ -26,6 +27,7 @@
|
|||
- iotop
|
||||
- tcpdump
|
||||
- mtr-tiny
|
||||
when: evolinux_packages_diagnostic
|
||||
|
||||
- name: Install/Update hardware tools
|
||||
apt:
|
||||
|
@ -34,7 +36,7 @@
|
|||
- hdparm
|
||||
- smartmontools
|
||||
- lm-sensors
|
||||
|
||||
when: evolinux_packages_hardware
|
||||
|
||||
- name: Install/Update common tools
|
||||
apt:
|
||||
|
@ -50,12 +52,13 @@
|
|||
- rsync
|
||||
- bc
|
||||
- pinentry-curses
|
||||
when: evolinux_packages_common
|
||||
|
||||
- name: Install/Update serveur-base meta-package
|
||||
command: "apt-get install -yq --allow-unauthenticated serveur-base"
|
||||
register: install_server_base
|
||||
changed_when: not (install_server_base.stdout | search("0 upgraded") and install_server_base.stdout | search("0 newly installed"))
|
||||
|
||||
when: evolinux_packages_serveur_base
|
||||
|
||||
- name: is an MTA installed?
|
||||
command: "dpkg -S /usr/sbin/sendmail"
|
||||
|
@ -66,7 +69,7 @@
|
|||
- name: Install lsb-invalid-mta
|
||||
apt:
|
||||
name: lsb-invalid-mta
|
||||
when: mta_installed.rc != 0
|
||||
when: evolinux_packages_invalid_mta and mta_installed.rc != 0
|
||||
|
||||
|
||||
- name: Deleting rpcbin and nfs-common
|
||||
|
@ -76,7 +79,7 @@
|
|||
with_items:
|
||||
- rpcbind
|
||||
- nfs-common
|
||||
when: evolinux_delete_nfs
|
||||
when: evolinux_packages_delete_nfs
|
||||
|
||||
|
||||
# TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes)
|
||||
|
@ -89,3 +92,4 @@
|
|||
with_items:
|
||||
- { option: "confirm", value: "1" }
|
||||
- { option: "which", value: "both" }
|
||||
when: evolinux_packages_listchanges
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
with_items:
|
||||
- postfix
|
||||
- mailgraph
|
||||
when: evolinux_postfix_packages
|
||||
tags:
|
||||
- packages
|
||||
- postfix
|
||||
|
@ -25,6 +26,7 @@
|
|||
line: "{{ item }}: root"
|
||||
with_items: "{{ non_root_users_list.stdout_lines }}"
|
||||
notify: newaliases
|
||||
when: evolinux_postfix_users_alias_root
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
|
@ -38,6 +40,7 @@
|
|||
- abuse
|
||||
- mailer-daemon
|
||||
notify: newaliases
|
||||
when: evolinux_postfix_mailer_alias_root
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
|
@ -47,6 +50,7 @@
|
|||
regexp: "^root:"
|
||||
line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}"
|
||||
notify: newaliases
|
||||
when: evolinux_postfix_root_alias
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
|
@ -66,4 +70,3 @@
|
|||
tags:
|
||||
- packages
|
||||
- postfix
|
||||
|
||||
|
|
|
@ -5,8 +5,7 @@
|
|||
path: /root
|
||||
state: directory
|
||||
mode: 0700
|
||||
tags:
|
||||
- root
|
||||
when: evolinux_root_chmod
|
||||
|
||||
- name: "Customize root's bashrc..."
|
||||
lineinfile:
|
||||
|
@ -18,8 +17,7 @@
|
|||
- "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth"
|
||||
- "export HISTSIZE=65535"
|
||||
- "export HISTTIMEFORMAT=\"%c : \""
|
||||
tags:
|
||||
- root
|
||||
when: evolinux_root_bashrc
|
||||
|
||||
## .bash_history should be append-only
|
||||
|
||||
|
@ -28,38 +26,31 @@
|
|||
content: ""
|
||||
dest: "/root/.bash_history"
|
||||
force: no
|
||||
tags:
|
||||
- root
|
||||
when: evolinux_root_bash_history
|
||||
|
||||
- name: Set umask in /root/.profile
|
||||
lineinfile:
|
||||
dest: "/root/.profile"
|
||||
line: "umask 0077"
|
||||
regexp: "umask [0-9]+"
|
||||
tags:
|
||||
- root
|
||||
when: evolinux_root_umask
|
||||
|
||||
- name: Custom git config for root
|
||||
copy:
|
||||
src: root/gitconfig
|
||||
dest: "/root/.gitconfig"
|
||||
force: no
|
||||
tags:
|
||||
- root
|
||||
when: evolinux_root_gitconfig
|
||||
|
||||
- name: Is .bash_history append-only
|
||||
shell: lsattr /root/.bash_history | grep -E "^.*a.* "
|
||||
register: bash_history_append_only
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
tags:
|
||||
- root
|
||||
|
||||
- name: Set .bash_history append-only
|
||||
command: chattr +a /root/.bash_history
|
||||
when: bash_history_append_only.rc != 0
|
||||
tags:
|
||||
- root
|
||||
when: evolinux_root_bash_history_appendonly and bash_history_append_only.rc != 0
|
||||
|
||||
- name: Setting vim as selected-editor
|
||||
lineinfile:
|
||||
|
@ -67,6 +58,7 @@
|
|||
regexp: '^SELECTED_EDITOR='
|
||||
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
|
||||
create: yes
|
||||
when: evolinux_root_vim_default
|
||||
|
||||
- name: Setting vim root configuration
|
||||
lineinfile:
|
||||
|
@ -83,3 +75,4 @@
|
|||
- "set softtabstop=0"
|
||||
- "set shiftwidth=4"
|
||||
- "set smarttab"
|
||||
when: evolinux_root_vim_conf
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes"
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
|
||||
when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
|
||||
|
||||
- name: Modify Match Address sshd directive
|
||||
replace:
|
||||
|
@ -21,7 +21,7 @@
|
|||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
with_items: "{{ evolinux_ssh_password_auth_addresses }}"
|
||||
notify: reload sshd
|
||||
when: grep_matchaddress_ssh.rc == 0
|
||||
when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0
|
||||
|
||||
- name: disable SSH access for root
|
||||
replace:
|
||||
|
@ -35,3 +35,4 @@
|
|||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^AcceptEnv'
|
||||
replace: "#AcceptEnv"
|
||||
when: evolinux_ssh_disable_acceptenv
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
path: /tmp
|
||||
state: directory
|
||||
mode: 01777
|
||||
when: evolinux_system_chmod_tmp
|
||||
|
||||
- name: Setting default locales
|
||||
lineinfile:
|
||||
|
@ -24,23 +25,25 @@
|
|||
- "fr_FR ISO-8859-1"
|
||||
- "fr_FR.UTF-8 UTF-8"
|
||||
register: default_locales
|
||||
when: evolinux_system_locales
|
||||
|
||||
- name: Reconfigure locales
|
||||
command: /usr/sbin/locale-gen
|
||||
when: default_locales | changed
|
||||
when: evolinux_system_locales and default_locales | changed
|
||||
|
||||
- name: Setting default timezone
|
||||
lineinfile:
|
||||
dest: /etc/timezone
|
||||
regexp: '^\w+/\w+$'
|
||||
line: "{{ evolinux_timezone | mandatory }}"
|
||||
line: "{{ evolinux_system_timezone | mandatory }}"
|
||||
insertbefore: BOF
|
||||
create: yes
|
||||
register: change_timezone
|
||||
when: evolinux_system_timezone != False
|
||||
|
||||
- name: Reconfigure tzdata
|
||||
command: dpkg-reconfigure --frontend noninteractive tzdata
|
||||
when: change_timezone | changed
|
||||
when: evolinux_system_timezone != False and change_timezone | changed
|
||||
|
||||
# TODO : find a way to force the console-data configuration
|
||||
# non-interactively (like tzdata ↑)
|
||||
|
@ -49,6 +52,7 @@
|
|||
alternatives:
|
||||
name: editor
|
||||
path: /usr/bin/vim.basic
|
||||
when: evolinux_system_vim_default
|
||||
|
||||
- name: Add "umask 027" to /etc/profile.d/evolinux.sh
|
||||
lineinfile:
|
||||
|
@ -56,12 +60,14 @@
|
|||
line: "umask 027"
|
||||
create: yes
|
||||
state: present
|
||||
when: evolinux_system_profile
|
||||
|
||||
- name: Set /etc/adduser.conf DIR_MODE to 0700
|
||||
replace:
|
||||
dest: /etc/adduser.conf
|
||||
regexp: "^DIR_MODE=.*$"
|
||||
replace: "DIR_MODE=0700"
|
||||
when: evolinux_system_dirmode_adduser
|
||||
|
||||
# TODO: trouver comment ne pas faire ça sur Xen Dom-U
|
||||
|
||||
|
@ -71,12 +77,14 @@
|
|||
line: "tty2"
|
||||
create: yes
|
||||
state: present
|
||||
when: evolinux_system_dirmode_adduser
|
||||
|
||||
- name: Setting TMOUT to deconnect inactive users
|
||||
lineinfile:
|
||||
dest: /etc/profile
|
||||
line: "export TMOUT=36000"
|
||||
state: present
|
||||
when: evolinux_system_dirmode_adduser
|
||||
|
||||
#- name: Customizing /etc/fstab
|
||||
|
||||
|
@ -86,6 +94,7 @@
|
|||
line: "umask 022"
|
||||
create: yes
|
||||
state: present
|
||||
when: evolinux_system_dirmode_adduser
|
||||
|
||||
- name: Randomize periodic crontabs
|
||||
replace:
|
||||
|
@ -98,6 +107,7 @@
|
|||
- {regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"}
|
||||
- {regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"}
|
||||
- {regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"}
|
||||
when: evolinux_system_dirmode_adduser
|
||||
|
||||
# NTP server address
|
||||
|
||||
|
@ -105,9 +115,9 @@
|
|||
replace:
|
||||
dest: /etc/ntp.conf
|
||||
regexp: "^server .*$"
|
||||
replace: "server {{ evolinux_ntp_server }}"
|
||||
replace: "server {{ evolinux_system_ntp_server }}"
|
||||
backup: yes
|
||||
when: evolinux_ntp_server | default(False)
|
||||
when: evolinux_system_ntp_server != False
|
||||
|
||||
## alert5
|
||||
|
||||
|
@ -117,11 +127,13 @@
|
|||
dest: /etc/init.d/alert5
|
||||
force: no
|
||||
mode: 0755
|
||||
when: evolinux_system_alert5_init
|
||||
|
||||
- name: Enable alert5 init script
|
||||
service:
|
||||
name: alert5
|
||||
enabled: yes
|
||||
when: evolinux_system_alert5_init and evolinux_system_alert5_enable
|
||||
|
||||
## network interfaces
|
||||
|
||||
|
@ -131,3 +143,4 @@
|
|||
regexp: "allow-hotplug"
|
||||
replace: "auto"
|
||||
backup: yes
|
||||
when: evolinux_system_eni_auto
|
||||
|
|
Loading…
Reference in a new issue