Browse Source

Improve Ansible syntax

replace « x | changed » by « x is changed »
add explicit « bool » filter
use « length » filter instead of string comparison
pull/129/head
Jérémy Lecour 5 months ago
committed by Jérémy Lecour
parent
commit
2ed77c60f0
  1. 4
      apache/tasks/main.yml
  2. 2
      apache/tasks/server_status.yml
  3. 2
      apt/tasks/basics.yml
  4. 8
      apt/tasks/config.yml
  5. 4
      apt/tasks/hold_packages.yml
  6. 10
      apt/tasks/main.yml
  7. 22
      bind/tasks/main.yml
  8. 2
      certbot/tasks/install-legacy.yml
  9. 8
      docker-host/tasks/main.yml
  10. 16
      elasticsearch/tasks/configuration.yml
  11. 8
      elasticsearch/tasks/datadir.yml
  12. 4
      elasticsearch/tasks/main.yml
  13. 15
      elasticsearch/tasks/tmpdir.yml
  14. 2
      etc-git/tasks/do_commit.yml
  15. 2
      etc-git/tasks/repository.yml
  16. 2
      evoacme/tasks/evoacme_hook.yml
  17. 2
      evoacme/tasks/main.yml
  18. 2
      evobackup-client/handlers/main.yml
  19. 2
      evocheck/tasks/exec.yml
  20. 2
      evocheck/tasks/main.yml
  21. 8
      evolinux-base/tasks/default_www.yml
  22. 12
      evolinux-base/tasks/fstab.yml
  23. 10
      evolinux-base/tasks/hostname.yml
  24. 10
      evolinux-base/tasks/kernel.yml
  25. 10
      evolinux-base/tasks/logs.yml
  26. 50
      evolinux-base/tasks/main.yml
  27. 26
      evolinux-base/tasks/packages.yml
  28. 10
      evolinux-base/tasks/postfix.yml
  29. 18
      evolinux-base/tasks/root.yml
  30. 48
      evolinux-base/tasks/system.yml
  31. 2
      evolinux-todo/tasks/cat.yml
  32. 8
      evolinux-users/tasks/main.yml
  33. 2
      evolinux-users/tasks/ssh.yml
  34. 4
      evolinux-users/tasks/sudo.yml
  35. 2
      evolinux-users/tasks/sudo_jessie.yml
  36. 20
      evolinux-users/tasks/user.yml
  37. 2
      evomaintenance/tasks/install_vendor_debian.yml
  38. 8
      evomaintenance/tasks/main.yml
  39. 2
      evomaintenance/tasks/minifirewall.yml
  40. 4
      fail2ban/tasks/main.yml
  41. 27
      filebeat/tasks/main.yml
  42. 4
      haproxy/tasks/main.yml
  43. 4
      java/tasks/main.yml
  44. 2
      java/tasks/openjdk.yml
  45. 2
      java/tasks/oracle.yml
  46. 2
      keepalived/tasks/main.yml
  47. 2
      kibana/tasks/main.yml
  48. 4
      kvm-host/tasks/images.yml
  49. 6
      ldap/tasks/ldapvirc.yml
  50. 8
      ldap/tasks/nagios.yml
  51. 11
      logstash/tasks/tmpdir.yml
  52. 5
      lxc-php/tasks/misc.yml
  53. 2
      lxc/tasks/create-container.yml
  54. 6
      lxc/tasks/main.yml
  55. 14
      memcached/tasks/main.yml
  56. 2
      memcached/tasks/munin.yml
  57. 19
      metricbeat/tasks/main.yml
  58. 4
      minifirewall/tasks/activate.yml
  59. 9
      minifirewall/tasks/config.yml
  60. 6
      minifirewall/tasks/main.yml
  61. 4
      minifirewall/tasks/tail.yml
  62. 2
      mongodb/tasks/main_buster.yml
  63. 4
      mysql-oracle/tasks/datadir.yml
  64. 6
      mysql-oracle/tasks/nrpe.yml
  65. 2
      mysql-oracle/tasks/packages.yml
  66. 2
      mysql-oracle/tasks/tmpdir.yml
  67. 21
      mysql-oracle/tasks/utils.yml
  68. 2
      mysql/tasks/config_stretch.yml
  69. 4
      mysql/tasks/datadir.yml
  70. 4
      mysql/tasks/logdir.yml
  71. 2
      mysql/tasks/main.yml
  72. 6
      mysql/tasks/nrpe.yml
  73. 2
      mysql/tasks/packages_jessie.yml
  74. 2
      mysql/tasks/packages_stretch.yml
  75. 2
      mysql/tasks/tmpdir.yml
  76. 2
      mysql/tasks/users_jessie.yml
  77. 4
      mysql/tasks/users_stretch.yml
  78. 31
      mysql/tasks/utils.yml
  79. 2
      nagios-nrpe/tasks/main.yml
  80. 8
      networkd-to-ifconfig/tasks/main.yml
  81. 4
      networkd-to-ifconfig/tasks/set_facts_from_ansible.yml
  82. 4
      newrelic/tasks/main.yml
  83. 4
      newrelic/tasks/php.yml
  84. 2
      newrelic/tasks/sysmond.yml
  85. 4
      nginx/tasks/main.yml
  86. 4
      nginx/tasks/packages.yml
  87. 2
      nginx/tasks/server_status_read.yml
  88. 2
      nodejs/tasks/main.yml
  89. 2
      packweb-apache/tasks/main.yml
  90. 2
      packweb-apache/tasks/phpmyadmin.yml
  91. 6
      percona/tasks/main.yml
  92. 2
      php/tasks/config_apache.yml
  93. 2
      php/tasks/config_cli.yml
  94. 6
      php/tasks/config_fpm.yml
  95. 3
      php/tasks/main.yml
  96. 16
      php/tasks/main_buster.yml
  97. 12
      php/tasks/main_jessie.yml
  98. 16
      php/tasks/main_stretch.yml
  99. 8
      php/tasks/sury_post.yml
  100. 6
      postfix/tasks/main.yml

4
apache/tasks/main.yml

@ -21,9 +21,9 @@
tags:
- apache
- packages
when:
when:
- ansible_distribution_major_version is version('9', '>=')
- apache_mpm == "itk"
- apache_mpm == "itk"
- name: packages are installed (jessie)
apt:

2
apache/tasks/server_status.yml

@ -14,7 +14,7 @@
# The last character "\u000A" is a line feed (LF), it's better to keep it
content: "{{ apache_serverstatus_suffix }}\u000A"
force: yes
when: apache_serverstatus_suffix != ""
when: apache_serverstatus_suffix | length > 0
- name: generate random string for server-status suffix
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"

2
apt/tasks/basics.yml

@ -20,7 +20,7 @@
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-buster.list
- /etc/apt/sources.list.d/debian-update.list
when: apt_clean_gandi_sourceslist
when: apt_clean_gandi_sourceslist | bool
tags:
- apt

8
apt/tasks/config.yml

@ -12,7 +12,7 @@
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
when: apt_evolinux_config
when: apt_evolinux_config | bool
tags:
- apt
@ -28,7 +28,7 @@
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
when: apt_hooks
when: apt_hooks | bool
tags:
- apt
@ -36,7 +36,7 @@
apt:
name: aptitude
state: absent
when: apt_remove_aptitude
when: apt_remove_aptitude | bool
tags:
- apt
@ -50,6 +50,6 @@
- name: Upgrading system
apt:
upgrade: dist
when: apt_upgrade
when: apt_upgrade | bool
tags:
- apt

4
apt/tasks/hold_packages.yml

@ -4,7 +4,9 @@
shell: "(dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
register: apt_mark
changed_when: "item + ' set on hold.' in apt_mark.stdout"
failed_when: apt_mark.rc != 0 and not apt_mark.stdout == ''
failed_when:
- apt_mark.rc != 0
- apt_mark.stdout | length > 0
loop: "{{ apt_hold_packages }}"
tags:
- apt

10
apt/tasks/main.yml

@ -10,30 +10,30 @@
- name: Custom configuration
include: config.yml
when: apt_config
when: apt_config | bool
tags:
- apt
- name: Install basics repositories
include: basics.yml
when: apt_install_basics
when: apt_install_basics | bool
tags:
- apt
- name: Install APT Backports repository
include: backports.yml
when: apt_install_backports
when: apt_install_backports | bool
tags:
- apt
- name: Install Evolix Public APT repository
include: evolix_public.yml
when: apt_install_evolix_public
when: apt_install_evolix_public | bool
tags:
- apt
- name: Install check for packages marked hold
include: hold_packages.yml
when: apt_install_hold_packages
when: apt_install_hold_packages | bool
tags:
- apt

22
bind/tasks/main.yml

@ -6,7 +6,7 @@
bind_cache_dir: /var/cache/bind
bind_statistics_file: /var/run/named.stats
bind_chroot_path: /var/chroot-bind
when: bind_chroot_set
when: bind_chroot_set | bool
- name: configure apparmor
template:
@ -34,7 +34,7 @@
mode: "0644"
force: yes
notify: restart bind
when: bind_recursive_server
when: bind_recursive_server | bool
- name: enable zones.rfc1918 for recursive server
lineinfile:
@ -42,7 +42,7 @@
line: 'include "/etc/bind/zones.rfc1918";'
regexp: "zones.rfc1918"
notify: restart bind
when: bind_recursive_server
when: bind_recursive_server | bool
- name: Set bind configuration for authoritative server
template:
@ -53,7 +53,7 @@
mode: "0644"
force: yes
notify: restart bind
when: bind_authoritative_server
when: bind_authoritative_server | bool
- name: Create systemd service
template:
@ -75,7 +75,7 @@
group: adm
mode: "0640"
state: touch
when: not bind_chroot_set
when: not (bind_chroot_set | bool)
- name: "touch {{ bind_query_file }} if non chroot"
file:
@ -84,7 +84,7 @@
group: adm
mode: "0640"
state: touch
when: not bind_chroot_set
when: not (bind_chroot_set | bool)
- name: send chroot-bind.sh in /root
copy:
@ -94,17 +94,19 @@
owner: root
force: yes
backup: yes
when: bind_chroot_set
when: bind_chroot_set | bool
- name: exec chroot-bind.sh
command: "/root/chroot-bind.sh"
register: chrootbind_run
changed_when: False
when: bind_chroot_set
when: bind_chroot_set | bool
- debug:
var: chrootbind_run.stdout_lines
when: bind_chroot_set and chrootbind_run.stdout != ""
when:
- bind_chroot_set | bool
- chrootbind_run.stdout | length > 0
- name: Modify OPTIONS in /etc/default/bind9 for chroot
replace:
@ -112,7 +114,7 @@
regexp: '^OPTIONS=.*'
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
notify: restart bind
when: bind_chroot_set
when: bind_chroot_set | bool
- name: logrotate for bind
template:

2
certbot/tasks/install-legacy.yml

@ -48,7 +48,7 @@
src: cron_jessie
dest: /etc/cron.d/certbot
force: yes
when: certbot_custom_crontab
when: certbot_custom_crontab | bool
- name: disable self-upgrade
ini_file:

8
docker-host/tasks/main.yml

@ -73,7 +73,7 @@
state: directory
mode: "0644"
owner: root
when: docker_tls_enabled
when: docker_tls_enabled | bool
- name: Copy shellpki utility to Docker TLS directory
template:
@ -83,7 +83,7 @@
loop:
- shellpki.sh
- openssl.cnf
when: docker_tls_enabled
when: docker_tls_enabled | bool
- name: Check if certs are already created
stat:
@ -92,4 +92,6 @@
- name: Creating a CA, server key
command: "{{ docker_tls_path }}/shellpki.sh init"
when: docker_tls_enabled and not tls_certs_stat.stat.isdir is defined
when:
- docker_tls_enabled | bool
- not tls_certs_stat.stat.isdir

16
elasticsearch/tasks/configuration.yml

@ -6,7 +6,7 @@
line: "cluster.name: {{ elasticsearch_cluster_name }}"
regexp: "^cluster.name:"
insertafter: "^# *cluster.name:"
when: elasticsearch_cluster_name|default("", True)
when: elasticsearch_cluster_name | default("", True) | length > 0
tags:
- config
@ -25,7 +25,7 @@
line: "network.host: {{ elasticsearch_network_host }}"
regexp: "^network.host:"
insertafter: "^# *network.host:"
when: elasticsearch_network_host|default("", True)
when: elasticsearch_network_host | default("", True) | length > 0
tags:
- config
@ -35,7 +35,7 @@
line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
regexp: "^network.publish_host:"
insertafter: "^network.host:"
when: elasticsearch_network_publish_host|default("", True)
when: elasticsearch_network_publish_host | default("", True) | length > 0
tags:
- config
@ -45,7 +45,7 @@
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
regexp: "^http.publish_host:"
insertafter: "^http.port:"
when: elasticsearch_http_publish_host|default("", True)
when: elasticsearch_http_publish_host | default("", True) | length > 0
tags:
- config
@ -54,7 +54,7 @@
dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml }}"
regexp: "^discovery.seed_hosts:"
when: elasticsearch_discovery_seed_hosts
when: elasticsearch_discovery_seed_hosts | length > 0
tags:
- config
@ -63,7 +63,7 @@
dest: /etc/elasticsearch/elasticsearch.yml
line: "cluster.initial_master_nodes: {{ elasticsearch_cluster_initial_master_nodes | to_yaml }}"
regexp: "^cluster.initial_master_nodes:"
when: elasticsearch_cluster_initial_master_nodes
when: elasticsearch_cluster_initial_master_nodes | length > 0
tags:
- config
@ -98,7 +98,7 @@
line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}"
regexp: "^discovery.zen.ping.unicast.hosts:"
insertafter: "^#discovery.zen.ping.unicast.hosts"
when: elasticsearch_cluster_members|default("", True)
when: elasticsearch_cluster_members | default("", True) | length > 0
tags:
- config
@ -108,6 +108,6 @@
line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}"
regexp: "^discovery.zen.minimum_master_nodes:"
insertafter: "^#discovery.zen.minimum_master_nodes"
when: elasticsearch_minimum_master_nodes|default("", True)
when: elasticsearch_minimum_master_nodes | default("", True) | length > 0
tags:
- config

8
elasticsearch/tasks/datadir.yml

@ -16,8 +16,8 @@
tags:
- elasticsearch
when:
- elasticsearch_custom_datadir != ''
- elasticsearch_custom_datadir != None
- elasticsearch_custom_datadir is not none
- elasticsearch_custom_datadir | length > 0
- name: Datadir is moved to custom path
block:
@ -44,7 +44,7 @@
tags:
- elasticsearch
when:
- elasticsearch_custom_datadir != ''
- elasticsearch_custom_datadir != None
- elasticsearch_custom_datadir is not none
- elasticsearch_custom_datadir | length > 0
- elasticsearch_custom_datadir != elasticsearch_current_real_datadir_test.stdout
- not elasticsearch_custom_datadir_test.stat.exists

4
elasticsearch/tasks/main.yml

@ -15,7 +15,7 @@
- include: additional_scripts.yml
- include: plugin_head.yml
when: elasticsearch_plugin_head
when: elasticsearch_plugin_head | bool
- include: curator.yml
when: elasticsearch_curator
when: elasticsearch_curator | bool

15
elasticsearch/tasks/tmpdir.yml

@ -9,9 +9,14 @@
- name: Tmpdir is moved to custom path
block:
- name: "Create {{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
- set_fact:
_elasticsearch_custom_tmpdir: "{{ elasticsearch_custom_tmpdir | default(elasticsearch_default_tmpdir, True) | mandatory }}"
tags:
- elasticsearch
- name: "Create {{ _elasticsearch_custom_tmpdir }}"
file:
path: "{{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
path: "{{ _elasticsearch_custom_tmpdir }}"
owner: elasticsearch
group: elasticsearch
mode: "0755"
@ -22,7 +27,7 @@
- name: change JVM tmpdir (< 6.x)
lineinfile:
dest: /etc/elasticsearch/jvm.options
line: "-Djava.io.tmpdir={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}"
regexp: "^-Djava.io.tmpdir="
insertafter: "## JVM configuration"
notify:
@ -34,7 +39,7 @@
- name: check if ES_TMPDIR is available (>= 6.x)
lineinfile:
dest: /etc/default/elasticsearch
line: "ES_TMPDIR={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
line: "ES_TMPDIR={{ _elasticsearch_custom_tmpdir }}"
regexp: "^ES_TMPDIR="
insertafter: "JAVA_HOME"
notify:
@ -54,4 +59,4 @@
tags:
- elasticsearch
when: elastic_stack_version is version('6', '>=')
when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec.rc == 0
when: (elasticsearch_custom_tmpdir is not none and elasticsearch_custom_tmpdir | length > 0) or fstab_tmp_noexec.rc == 0

2
etc-git/tasks/do_commit.yml

@ -50,7 +50,7 @@
register: commit_end_run
when:
- not ansible_check_mode
- git_status.stdout
- git_status.stdout | length > 0
ignore_errors: yes
tags:
- etc-git

2
etc-git/tasks/repository.yml

@ -68,6 +68,6 @@
chdir: "{{ repository_path }}"
warn: no
register: git_commit
when: git_log.rc != 0 or (git_init is defined and git_init.changed)
when: git_log.rc != 0 or (git_init is defined and git_init is changed)
tags:
- etc-git

2
evoacme/tasks/evoacme_hook.yml

@ -16,4 +16,4 @@
src: "hooks/{{ hook_name }}"
dest: "{{ evoacme_hooks_dir }}/{{ hook_name }}"
mode: "0750"
when: _find_hook.stdout == ""
when: _find_hook.stdout | length == 0

2
evoacme/tasks/main.yml

@ -6,7 +6,7 @@
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '>=')
msg: only compatible with Debian >= 9
when: not evoacme_disable_debian_check
when: not (evoacme_disable_debian_check | bool)
- include: certbot.yml

2
evobackup-client/handlers/main.yml

@ -13,4 +13,4 @@
command: "bkctld restart {{ evolinux_hostname }}"
# - "bkctld sync {{ evolinux_hostname }}"
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
when: evobackup_client__hosts|length > 1
when: evobackup_client__hosts | length > 1

2
evocheck/tasks/exec.yml

@ -10,6 +10,6 @@
- debug:
var: evocheck_run.stdout_lines
when: evocheck_run.stdout != ""
when: evocheck_run.stdout | length > 0
tags:
- evocheck-exec

2
evocheck/tasks/main.yml

@ -7,4 +7,4 @@
when: evocheck_force_install == "package"
- include: cron.yml
when: evocheck_update_crontab
when: evocheck_update_crontab | bool

8
evolinux-base/tasks/default_www.yml

@ -4,7 +4,7 @@
path: /var/www
state: directory
mode: "0755"
when: evolinux_default_www_files
when: evolinux_default_www_files | bool
- name: images are copied
copy:
@ -13,7 +13,7 @@
mode: "0644"
directory_mode: "0755"
follow: yes
when: evolinux_default_www_files
when: evolinux_default_www_files | bool
- name: index is copied
template:
@ -21,7 +21,7 @@
dest: /var/www/index.html
mode: "0644"
force: no
when: evolinux_default_www_files
when: evolinux_default_www_files | bool
# SSL cert
@ -43,6 +43,6 @@
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
args:
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
when: evolinux_default_www_ssl_cert
when: evolinux_default_www_ssl_cert | bool
- meta: flush_handlers

12
evolinux-base/tasks/fstab.yml

@ -17,7 +17,7 @@
notify: remount /home
when:
- fstab_content.stdout | regex_search('\s/home\s')
- evolinux_fstab_home
- evolinux_fstab_home | bool
- name: /tmp partition is customized
replace:
@ -26,7 +26,7 @@
replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3'
when:
- fstab_content.stdout | regex_search('\s/tmp\s')
- evolinux_fstab_tmp
- evolinux_fstab_tmp | bool
- name: /usr partition is customized
replace:
@ -35,7 +35,7 @@
replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3'
when:
- fstab_content.stdout | regex_search('\s/usr\s')
- evolinux_fstab_usr
- evolinux_fstab_usr | bool
- name: /var partition is customized
replace:
@ -45,7 +45,7 @@
notify: remount /var
when:
- fstab_content.stdout | regex_search('\s/var\s')
- evolinux_fstab_var
- evolinux_fstab_var | bool
- name: /var/tmp is created
mount:
@ -55,7 +55,7 @@
opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}"
state: mounted
when:
- evolinux_fstab_var_tmp
- evolinux_fstab_var_tmp | bool
- name: /dev/shm is created (Debian 10 and later)
mount:
@ -65,7 +65,7 @@
opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}"
state: mounted
when:
- evolinux_fstab_dev_shm
- evolinux_fstab_dev_shm | bool
- ansible_distribution_major_version is version('10', '>=')
- meta: flush_handlers

10
evolinux-base/tasks/hostname.yml

@ -7,14 +7,14 @@
- name: Set hostname "{{ evolinux_hostname }}"
hostname:
name: "{{ evolinux_hostname }}"
when: evolinux_hostname_hosts
when: evolinux_hostname_hosts | bool
- name: Set right localhost line in /etc/hosts
replace:
dest: /etc/hosts
regexp: '^127.0.0.1(\s+)localhost.*$'
replace: '127.0.0.1\1localhost.localdomain localhost'
when: evolinux_hostname_hosts
when: evolinux_hostname_hosts | bool
- name: Set ip+fqdn+hostname in /etc/hosts
lineinfile:
@ -22,21 +22,21 @@
regexp: '^{{ ansible_default_ipv4.address }}\s+'
line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}"
insertafter: '127.0.0.1\s+localhost.localdomain'
when: evolinux_hostname_hosts
when: evolinux_hostname_hosts | bool
- name: 127.0.1.1 is removed
lineinfile:
dest: /etc/hosts
regexp: '^127.0.1.1\s+'
state: absent
when: evolinux_hostname_hosts
when: evolinux_hostname_hosts | bool
- name: /etc/mailname is up-to-date
copy:
dest: /etc/mailname
content: "{{ evolinux_fqdn }}\n"
force: yes
when: evolinux_hostname_mailname
when: evolinux_hostname_mailname | bool
# Override facts

10
evolinux-base/tasks/kernel.yml

@ -10,7 +10,7 @@
loop:
- { name: kernel.panic_on_oops, value: 1 }
- { name: kernel.panic, value: 60 }
when: evolinux_kernel_reboot_after_panic
when: evolinux_kernel_reboot_after_panic | bool
- name: Don't reboot after panic
sysctl:
@ -21,7 +21,7 @@
loop:
- kernel.panic_on_oops
- kernel.panic
when: not evolinux_kernel_reboot_after_panic
when: not evolinux_kernel_reboot_after_panic | bool
- name: Disable net.ipv4.tcp_timestamps
sysctl:
@ -30,7 +30,7 @@
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
when: evolinux_kernel_disable_tcp_timestamps
when: evolinux_kernel_disable_tcp_timestamps | bool
- name: Customize the swappiness
sysctl:
@ -39,7 +39,7 @@
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
when: evolinux_kernel_customize_swappiness
when: evolinux_kernel_customize_swappiness | bool
- name: Patch for TCP stack vulnerability CVE-2016-5696
sysctl:
@ -48,7 +48,7 @@
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
when: evolinux_kernel_cve20165696
when: evolinux_kernel_cve20165696 | bool
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
sysctl:

10
evolinux-base/tasks/logs.yml

@ -8,7 +8,7 @@
dest: /etc/rsyslog.conf
mode: "0644"
notify: restart rsyslog
when: evolinux_logs_rsyslog_conf
when: evolinux_logs_rsyslog_conf | bool
- name: Disable logrotate default conf
command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
@ -16,25 +16,25 @@
removes: /etc/logrotate.d/rsyslog
creates: /etc/logrotate.d/rsyslog.disabled
notify: restart rsyslog
when: evolinux_logs_disable_logrotate_rsyslog
when: evolinux_logs_disable_logrotate_rsyslog | bool
- name: Copy many logrotate files
copy:
src: logs/logrotate.d/
dest: /etc/logrotate.d/
when: evolinux_logs_logrotate_confs
when: evolinux_logs_logrotate_confs | bool
- name: Copy rsyslog logrotate file
template:
src: logs/zsyslog.j2
dest: /etc/logrotate.d/zsyslog
when: evolinux_logs_logrotate_confs
when: evolinux_logs_logrotate_confs | bool
- name: Configure logrotate.conf
replace:
dest: /etc/logrotate.conf
regexp: "rotate [0-9]+"
replace: "rotate 12"
when: evolinux_logs_default_rotate
when: evolinux_logs_default_rotate | bool
- meta: flush_handlers

50
evolinux-base/tasks/main.yml

@ -13,51 +13,51 @@
vars:
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
when: evolinux_apt_include
when: evolinux_apt_include | bool
- name: /etc versioning with Git
include_role:
name: evolix/etc-git
when: evolinux_etcgit_include
when: evolinux_etcgit_include | bool
- name: /etc/evolinux base
include: etc-evolinux.yml
when: evolinux_etcevolinux_include
when: evolinux_etcevolinux_include | bool
- name: Hostname
include: hostname.yml
when: evolinux_hostname_include
when: evolinux_hostname_include | bool
- name: Kernel tuning
include: kernel.yml
when: evolinux_kernel_include
when: evolinux_kernel_include | bool
- name: Fstab configuration
include: fstab.yml
when: evolinux_fstab_include
when: evolinux_fstab_include | bool
- name: Packages
include: packages.yml
when: evolinux_packages_include
when: evolinux_packages_include | bool
- name: System settings
include: system.yml
when: evolinux_system_include
when: evolinux_system_include | bool
- name: Minifirewall
include_role:
name: evolix/minifirewall
when: evolinux_minifirewall_include
when: evolinux_minifirewall_include | bool
- name: Evomaintenance
include_role:
name: evolix/evomaintenance
when: evolinux_evomaintenance_include
when: evolinux_evomaintenance_include | bool
- name: SSH configuration
include: ssh.yml
when: evolinux_ssh_include
### disabled because of a memory leak
# - name: Create evolinux users
# include_role:
@ -66,66 +66,66 @@
- name: Root user configuration
include: root.yml
when: evolinux_root_include
when: evolinux_root_include | bool
- name: Postfix
include: postfix.yml
when: evolinux_postfix_include
when: evolinux_postfix_include | bool
- name: Logs management
include: logs.yml
when: evolinux_logs_include
when: evolinux_logs_include | bool
- name: Default index page
include: default_www.yml
when: evolinux_default_www_include
when: evolinux_default_www_include | bool
- name: Hardware drivers and tools
include: hardware.yml
when: evolinux_hardware_include
when: evolinux_hardware_include | bool
- name: Customize for Online.net
include: provider_online.yml
when: evolinux_provider_online_include
when: evolinux_provider_online_include | bool
- name: Customize for Orange FCE
include: provider_orange_fce.yml
when: evolinux_provider_orange_fce_include
when: evolinux_provider_orange_fce_include | bool
- name: Override Log2mail service
include: log2mail.yml
when: evolinux_log2mail_include
when: evolinux_log2mail_include | bool
- include: motd.yml
- name: Munin
include_role:
name: evolix/munin
when: evolinux_munin_include
when: evolinux_munin_include | bool
- name: Nagios/NRPE
include_role:
name: evolix/nagios-nrpe
when: evolinux_nagios_nrpe_include
when: evolinux_nagios_nrpe_include | bool
- name: fail2ban
include_role:
name: evolix/fail2ban
when: evolinux_fail2ban_include
when: evolinux_fail2ban_include | bool
- name: Evocheck
include_role:
name: evolix/evocheck
vars:
evocheck_force_install: "{{ evolinux_evocheck_force_install }}"
when: evolinux_evocheck_include
when: evolinux_evocheck_include | bool
- name: Listupgrade
include_role:
name: evolix/listupgrade
when: evolinux_listupgrade_include
when: evolinux_listupgrade_include | bool
- name: Generate ldif script
include_role:
name: evolix/generate-ldif
when: evolinux_generateldif_include
when: evolinux_generateldif_include | bool

26
evolinux-base/tasks/packages.yml

@ -16,7 +16,7 @@
- ssl-cert
- ca-certificates
- rename
when: evolinux_packages_system
when: evolinux_packages_system | bool
- name: Install/Update diagnostic tools
apt:
@ -34,7 +34,7 @@
- telnet
- traceroute
- man
when: evolinux_packages_diagnostic
when: evolinux_packages_diagnostic | bool
- name: Install/Update hardware tools
apt:
@ -42,7 +42,7 @@
- hdparm
- smartmontools
- lm-sensors
when: evolinux_packages_hardware
when: evolinux_packages_hardware | bool
- name: Install/Update common tools
apt:
@ -58,21 +58,21 @@
- bc
- pinentry-curses
- ncurses-term
when: evolinux_packages_common
when: evolinux_packages_common | bool
- name: Be sure that openntpd package is absent/purged
apt:
name: openntpd
state: absent
purge: True
when: evolinux_packages_purge_openntpd
when: evolinux_packages_purge_openntpd | bool
- name: the chrony package is absent
apt:
name: chrony
purge: True
state: absent
when: evolinux_packages_purge_chrony
when: evolinux_packages_purge_chrony | bool
- name: Be sure locate/mlocate is absent/purged
apt:
@ -81,19 +81,19 @@
- mlocate
state: absent
purge: yes
when: evolinux_packages_purge_locate
when: evolinux_packages_purge_locate | bool
- name: Install/Update serveur-base meta-package
apt:
name: serveur-base
allow_unauthenticated: yes
when: evolinux_packages_serveur_base
when: evolinux_packages_serveur_base | bool
- name: Install/Update packages for Stretch and later
apt:
name: net-tools
when:
- evolinux_packages_stretch
- evolinux_packages_stretch | bool
- ansible_distribution_major_version is version('9', '>=')
- name: Install/Update packages for Buster and later
@ -102,7 +102,7 @@
- spectre-meltdown-checker
- binutils
when:
- evolinux_packages_buster
- evolinux_packages_buster | bool
- ansible_distribution_major_version is version('10', '>=')
- name: Customize logcheck recipient
@ -110,7 +110,7 @@
dest: /etc/logcheck/logcheck.conf
regexp: '^SENDMAILTO=".*"$'
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
when: evolinux_packages_logcheck_recipient
when: evolinux_packages_logcheck_recipient | bool
- name: Deleting rpcbind and nfs-common
apt:
@ -118,7 +118,7 @@
- rpcbind
- nfs-common
state: absent
when: evolinux_packages_delete_nfs
when: evolinux_packages_delete_nfs | bool
# TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes)
@ -132,7 +132,7 @@
- { option: "confirm", value: "1" }
- { option: "which", value: "both" }
when:
- evolinux_packages_listchanges
- evolinux_packages_listchanges | bool
- ansible_distribution == "Debian"
- ansible_distribution_release == "jessie"

10
evolinux-base/tasks/postfix.yml

@ -6,7 +6,7 @@
- postfix
- mailgraph
state: present
when: evolinux_postfix_packages
when: evolinux_postfix_packages | bool
tags:
- packages
- postfix
@ -47,7 +47,7 @@
line: "{{ item }}: root"
loop: "{{ non_root_users_list.stdout_lines }}"
notify: newaliases
when: evolinux_postfix_users_alias_root
when: evolinux_postfix_users_alias_root | bool
tags:
- postfix
@ -64,7 +64,7 @@
- error
- bounce
notify: newaliases
when: evolinux_postfix_mailer_alias_root
when: evolinux_postfix_mailer_alias_root | bool
tags:
- postfix
@ -74,7 +74,7 @@
regexp: "^root:"
line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}"
notify: newaliases
when: evolinux_postfix_root_alias
when: evolinux_postfix_root_alias | bool
tags:
- postfix
@ -89,7 +89,7 @@
- exim4-daemon-light
purge: yes
state: absent
when: evolinux_postfix_purge_exim
when: evolinux_postfix_purge_exim | bool
tags:
- packages
- postfix

18
evolinux-base/tasks/root.yml

@ -5,7 +5,7 @@
path: /root
state: directory
mode: "0700"
when: evolinux_root_chmod
when: evolinux_root_chmod | bool
- name: "Customize root's bashrc..."
lineinfile:
@ -19,7 +19,7 @@
- "export HISTTIMEFORMAT=\"%c : \""
- "shopt -s histappend"
- "PROMPT_COMMAND=\"history -a;${PROMPT_COMMAND}\""
when: evolinux_root_bashrc
when: evolinux_root_bashrc | bool
## .bash_history should be append-only
@ -28,14 +28,14 @@
content: ""
dest: "/root/.bash_history"
force: no
when: evolinux_root_bash_history
when: evolinux_root_bash_history | bool
- name: Set umask in /root/.profile
lineinfile:
dest: "/root/.profile"
line: "umask 0077"
regexp: "umask [0-9]+"
when: evolinux_root_umask
when: evolinux_root_umask | bool
- name: "/usr/share/scripts is present in root's PATH"
lineinfile:
@ -48,7 +48,7 @@
src: root/gitconfig
dest: "/root/.gitconfig"
force: no
when: evolinux_root_gitconfig
when: evolinux_root_gitconfig | bool
- name: Is .bash_history append-only
shell: lsattr /root/.bash_history | grep -E "^.*a.* "
@ -61,7 +61,7 @@
- name: Set .bash_history append-only
command: chattr +a /root/.bash_history
when:
- evolinux_root_bash_history_appendonly
- evolinux_root_bash_history_appendonly | bool
- bash_history_append_only.rc != 0
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
@ -71,7 +71,7 @@
regexp: '^SELECTED_EDITOR='
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
create: yes
when: evolinux_root_vim_default
when: evolinux_root_vim_default | bool
- name: Setting vim root configuration
lineinfile:
@ -86,7 +86,7 @@
- "set tabstop=4"
- "set softtabstop=4"
- "set shiftwidth=4"
when: evolinux_root_vim_conf
when: evolinux_root_vim_conf | bool
- name: disable SSH access for root
replace:
@ -95,7 +95,7 @@
replace: "PermitRootLogin no"
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: evolinux_root_disable_ssh
when: evolinux_root_disable_ssh | bool
### Disabled : it seems useless and too dangerous for now
# - name: remove root from AllowUsers directive

48
evolinux-base/tasks/system.yml

@ -5,7 +5,7 @@
path: /tmp
state: directory
mode: "u=rwx,g=rwx,o=rwxt"
when: evolinux_system_chmod_tmp
when: evolinux_system_chmod_tmp | bool
- name: Setting default locales
lineinfile:
@ -18,7 +18,7 @@
- "fr_FR ISO-8859-1"
- "fr_FR.UTF-8 UTF-8"
register: default_locales
when: evolinux_system_locales
when: evolinux_system_locales | bool
- name: Reconfigure locales
command: /usr/sbin/locale-gen
@ -28,7 +28,7 @@
timezone:
name: "{{ evolinux_system_timezone | mandatory }}"
notify: restart cron
when: evolinux_system_set_timezone
when: evolinux_system_set_timezone | bool
# TODO : find a way to force the console-data configuration
# non-interactively (like tzdata ↑)
@ -41,13 +41,13 @@
dest: /etc/vim/vimrc
regexp: 'let g:skip_defaults_vim ='
line: 'let g:skip_defaults_vim = 1'
when: evolinux_system_vim_skip_defaults
when: evolinux_system_vim_skip_defaults | bool
- name: Setting vim as default editor
alternatives:
name: editor
path: /usr/bin/vim.basic
when: evolinux_system_vim_default_editor
when: evolinux_system_vim_default_editor | bool
- name: Add "umask 027" to /etc/profile.d/evolinux.sh
lineinfile:
@ -55,14 +55,14 @@
line: "umask 027"
create: yes
state: present
when: evolinux_system_profile
when: evolinux_system_profile | bool
- name: Set /etc/adduser.conf DIR_MODE to 0700
replace:
dest: /etc/adduser.conf
regexp: "^DIR_MODE=0755$"
replace: "DIR_MODE=0700"
when: evolinux_system_dirmode_adduser
when: evolinux_system_dirmode_adduser | bool
# TODO: trouver comment ne pas faire ça sur Xen Dom-U
@ -72,7 +72,7 @@
line: "tty2"
create: yes
state: present
when: evolinux_system_restrict_securetty
when: evolinux_system_restrict_securetty | bool
- name: Setting TMOUT to disconnect inactive users
lineinfile:
@ -80,7 +80,7 @@
line: "export TMOUT=36000"
create: yes
state: present
when: evolinux_system_set_timeout
when: evolinux_system_set_timeout | bool
#- name: Customizing /etc/fstab
@ -97,7 +97,9 @@
line: "EXTRA_OPTS='-L 15'"
create: yes
state: present
when: is_cron_installed.rc == 0 and evolinux_system_cron_verboselog
when:
- is_cron_installed.rc == 0
- evolinux_system_cron_verboselog | bool
- name: Modify default umask for cron deamon
lineinfile:
@ -105,7 +107,9 @@
line: "umask 022"
create: yes
state: present
when: is_cron_installed.rc == 0 and evolinux_system_cron_umask
when:
- is_cron_installed.rc == 0
- evolinux_system_cron_umask | bool
- name: Randomize periodic crontabs
replace:
@ -117,7 +121,9 @@
- { regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
- { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
- { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
when: is_cron_installed.rc == 0 and evolinux_system_cron_random
when:
- is_cron_installed.rc == 0
- evolinux_system_cron_random | bool
- include_role:
name: evolix/ntpd
@ -131,7 +137,7 @@
force: no
mode: "0755"
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_init | bool
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
- name: Enable alert5 init script (jessie/stretch)
@ -139,8 +145,8 @@
name: alert5
enabled: yes
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_enable
- evolinux_system_alert5_init | bool
- evolinux_system_alert5_enable | bool
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
@ -152,7 +158,7 @@
force: no
mode: "0755"
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_init | bool
- ansible_distribution_major_version is version('10', '>=')
- name: Install alert5 service (buster)
@ -162,7 +168,7 @@
force: yes
mode: "0644"
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_init | bool
- ansible_distribution_major_version is version('10', '>=')
- name: Enable alert5 init script (buster)
@ -171,8 +177,8 @@
daemon_reload: yes
enabled: yes
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_enable
- evolinux_system_alert5_init | bool
- evolinux_system_alert5_enable | bool
- ansible_distribution_major_version is version('10', '>=')
## network interfaces
@ -189,7 +195,9 @@
dest: /etc/network/interfaces
regexp: "allow-hotplug"
replace: "auto"
when: evolinux_system_eni_auto and grep_hotplug_eni.rc == 0
when:
- evolinux_system_eni_auto | bool
- grep_hotplug_eni.rc == 0
## /sbin/deny

2
evolinux-todo/tasks/cat.yml

@ -10,4 +10,4 @@
- name: "Content of /etc/evolinux/todo.txt"
debug:
var: evolinux_todo.stdout_lines
when: evolinux_todo.stdout != ""
when: evolinux_todo.stdout | length > 0

8
evolinux-users/tasks/main.yml

@ -9,22 +9,22 @@
- debug:
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
when: evolinux_users == {}
when: evolinux_users | length == 0
- name: Create user accounts
include: user.yml
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"
when: evolinux_users != {}
when: evolinux_users | length > 0
- name: Configure sudo
include: sudo.yml
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"
when: evolinux_users != {}
when: evolinux_users | length > 0
- name: Configure SSH
include: ssh.yml
when: evolinux_users != {}
when: evolinux_users | length > 0

2
evolinux-users/tasks/ssh.yml

@ -59,6 +59,6 @@
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
notify: reload sshd
when: evolinux_root_disable_ssh
when: evolinux_root_disable_ssh | bool
- meta: flush_handlers

4
evolinux-users/tasks/sudo.yml

@ -4,6 +4,8 @@
when: ansible_distribution_release == "jessie"
- include: sudo_stretch.yml
when: ansible_distribution_major_version is defined and ansible_distribution_major_version is version('9', '>=')
when:
- ansible_distribution_major_version is defined
- ansible_distribution_major_version is version('9', '>=')
- meta: flush_handlers

2
evolinux-users/tasks/sudo_jessie.yml

@ -15,4 +15,4 @@
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/visudo -cf %s'
when: not copy_sudoers_evolinux.changed
when: copy_sudoers_evolinux is not changed

20
evolinux-users/tasks/user.yml

@ -4,11 +4,11 @@
- fail:
msg: "You must provide a value for the 'user.name ' variable."
when: user.name is not defined or user.name == ''
when: user.name is not defined or user.name | length == 0
- fail:
msg: "You must provide a value for the 'user.uid ' variable."
when: user.uid is not defined or user.uid == ''
when: user.uid is not defined or user.uid | length == 0
- name: "Test if '{{ user.name }}' exists"
command: 'id -u "{{ user.name }}"'
@ -102,7 +102,7 @@
state: present
when:
- evolinux_internal_group is defined
- evolinux_internal_group != ""
- evolinux_internal_group | length > 0
- ansible_distribution_major_version is version('9', '>=')
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
@ -112,7 +112,7 @@
append: yes
when:
- evolinux_internal_group is defined
- evolinux_internal_group != ""
- evolinux_internal_group | length > 0
- ansible_distribution_major_version is version('9', '>=')
## Optional secondary groups, defined per user
@ -125,7 +125,7 @@