evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 19 Releases 33 Wiki Activity

Merge branch 'unstable' into stable

Browse source
This commit is contained in:
Gregory Colpart 2017-08-31 04:07:54 +02:00
parent ca795dc8c3 409ac0d503
commit 6ac4bdf734
28 changed files with 153 additions and 393 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
etc-git/README.md
View file

@ -27,5 +27,5 @@ There is also an independant task that can be executed to commit changes made in
name: etc-git
tasks_from: commit.yml
vars:
commit_message: "Ansible pre-run my splendid playbook"
commit_message: "Ansible post-run my splendid playbook"
```

7
etc-git/tasks/main.yml
View file

@ -4,13 +4,6 @@
apt:
name: git
state: present
when: ansible_os_family == "Debian"
- name: Git is installed (OpenBSD)
openbsd_pkg:
name: git
state: present
when: ansible_os_family == "OpenBSD"
- name: /etc is versioned with git
command: "git init ."

1
evocheck/README.md
View file

@ -5,7 +5,6 @@ Install and run evocheck ; a script for checking various settings automatically.
## Tasks
The roles does not install evocheck by default as it should be installed through dependencies.
For OpenBSD, it should be packaged, but the work is not done yet.
A separate `exec.yml` file can be imported manually in playbooks or roles to execute the script. Example :

1
evolinux-base/README.md
View file

@ -33,7 +33,6 @@ Main variables are:
* `evolinux_apt_hooks`: install APT hooks (default: `True`)
* `evolinux_apt_remove_aptitude`: uninstall aptitude (default: `True`)
* `evolinux_delete_nfs`: delete NFS tools (default: `True`)
* `evolinux_ntp_server`: custom NTP server host or IP (default: `Null`)
* `evolinux_additional_packages`: optional additional packages to install (default: `[]`)
* `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ;
* `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`)

6
evolinux-base/defaults/main.yml
View file

@ -83,7 +83,7 @@ evolinux_system_locales: True
evolinux_system_set_timezone: True
evolinux_system_timezone: "Europe/Paris"
evolinux_system_vim_skip_defaults: true
evolinux_system_vim_skip_defaults: True
evolinux_system_vim_default_editor: True
evolinux_system_profile: True
evolinux_system_dirmode_adduser: True
@ -96,10 +96,6 @@ evolinux_system_alert5_init: True
evolinux_system_alert5_enable: True
evolinux_system_eni_auto: True
evolinux_system_ntprestrict: True
evolinux_system_set_ntpserver: True
evolinux_system_ntpserver: "ntp.evolix.net"
# root
evolinux_root_include: True

4
evolinux-base/handlers/main.yml
View file

@ -72,7 +72,3 @@
name: postfix
state: reloaded
- name: restart ntp
service:
name: ntp
state: restarted

2
evolinux-base/tasks/default_www.yml
View file

@ -27,7 +27,7 @@
- block:
- name: Create private key and csr for default site ({{ ansible_fqdn }})
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ evolinux_default_www_ssl_subject }}"
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}"
args:
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"

2
evolinux-base/tasks/log2mail.yml
View file

@ -14,5 +14,5 @@
systemd:
name: log2mail
daemon-reload: yes
state: restarted
state: started
enabled: yes

1
evolinux-base/tasks/packages.yml
View file

@ -6,7 +6,6 @@
with_items:
- locales
- sudo
- ntp
- ntpdate
- lsb-release
- dnsutils

19
evolinux-base/tasks/system.yml
View file

@ -111,23 +111,8 @@
- { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
when: evolinux_system_cron_random
# NTP listen retriction
- name: Listen only on lo interface
# NTP server address
lineinfile:
dest: /etc/ntp.conf
line: "interface ignore wildcard"
notify: restart ntp
when: evolinux_system_ntprestrict
- name: Configure NTP
replace:
dest: /etc/ntp.conf
regexp: "^server .*$"
replace: "server {{ evolinux_system_ntpserver }}"
notify: restart ntp
when: evolinux_system_set_ntpserver
- include_role:
name: ntpd
## alert5

6
minifirewall/defaults/main.yml
View file

@ -11,9 +11,9 @@ minifirewall_privilegied_ips: []
minifirewall_protected_ports_tcp: [22]
minifirewall_protected_ports_udp: []
minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
minifirewall_public_ports_udp: [53]
minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
minifirewall_public_ports_tcp: [22, 80, 443]
minifirewall_public_ports_udp: []
minifirewall_semipublic_ports_tcp: [20, 21, 25]
minifirewall_semipublic_ports_udp: []
minifirewall_private_ports_tcp: [5666]
minifirewall_private_ports_udp: []

2
monit/defaults/main.yml
View file

@ -1,7 +1,7 @@
---
monit_daemon_time: 60
monit_alert_dest:
monit_httpd_enable: true
monit_httpd_enable: True
monit_httpd_port: 2812
monit_httpd_allow_items:
- localhost

87
munin/tasks/debian.yml
View file

@ -1,87 +0,0 @@
---
- name: Ensure that Munin is installed
apt:
name: '{{ item }}'
state: present
with_items:
- munin
- munin-node
- munin-plugins-core
- munin-plugins-extra
tags:
- munin
- packages
- block:
- name: Replace localdomain in Munin config
replace:
dest: /etc/munin/munin.conf
regexp: 'localhost.localdomain'
replace: '{{ ansible_fqdn }}'
notify: restart munin-node
- name: Rename the localdomain data dir
command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }}
args:
creates: /var/lib/munin/{{ ansible_domain }}
removes: /var/lib/munin/localdomain
notify: restart munin-node
when: not ansible_hostname == "localdomain"
tags:
- munin
- name: Ensure some Munin plugins are disabled
file:
path: '/etc/munin/plugins/{{ item }}'
state: absent
with_items:
- http_loadtime
- exim_mailqueue
- exim_mailstats
- nfsd
- nfsd4
- nfs_client
- nfs4_client
notify: restart munin-node
tags:
- munin
- name: Ensure some Munin plugins are enabled
file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
with_items:
- meminfo
- netstat_multi
- tcp
notify: restart munin-node
tags:
- munin
- name: Enable sensors plugin unless VM detected
file:
src: /usr/share/munin/plugins/sensors_
dest: /etc/munin/plugins/sensors_temp
state: link
when: ansible_virtualization_role != "guest"
notify: restart munin-node
tags:
- munin
- name: adjustments for grsec kernel
blockinfile:
dest: /etc/munin/plugin-conf.d/munin-node
block: |
[processes]
user root
[vmstat]
user root
[swap]
user root
when: ansible_kernel | search("-grs-")

89
munin/tasks/main.yml
View file

@ -1,6 +1,87 @@
---
- include: debian.yml
when: ansible_os_family == "Debian"
- include: openbsd.yml
when: ansible_os_family == "OpenBSD"
- name: Ensure that Munin is installed
apt:
name: '{{ item }}'
state: present
with_items:
- munin
- munin-node
- munin-plugins-core
- munin-plugins-extra
tags:
- munin
- packages
- block:
- name: Replace localdomain in Munin config
replace:
dest: /etc/munin/munin.conf
regexp: 'localhost.localdomain'
replace: '{{ ansible_fqdn }}'
notify: restart munin-node
- name: Rename the localdomain data dir
command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }}
args:
creates: /var/lib/munin/{{ ansible_domain }}
removes: /var/lib/munin/localdomain
notify: restart munin-node
when: not ansible_hostname == "localdomain"
tags:
- munin
- name: Ensure some Munin plugins are disabled
file:
path: '/etc/munin/plugins/{{ item }}'
state: absent
with_items:
- http_loadtime
- exim_mailqueue
- exim_mailstats
- nfsd
- nfsd4
- nfs_client
- nfs4_client
notify: restart munin-node
tags:
- munin
- name: Ensure some Munin plugins are enabled
file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
with_items:
- meminfo
- netstat_multi
- tcp
notify: restart munin-node
tags:
- munin
- name: Enable sensors plugin unless VM detected
file:
src: /usr/share/munin/plugins/sensors_
dest: /etc/munin/plugins/sensors_temp
state: link
when: ansible_virtualization_role != "guest"
notify: restart munin-node
tags:
- munin
- name: adjustments for grsec kernel
blockinfile:
dest: /etc/munin/plugin-conf.d/munin-node
block: |
[processes]
user root
[vmstat]
user root
[swap]
user root
when: ansible_kernel | search("-grs-")

100
munin/tasks/openbsd.yml
View file

@ -1,100 +0,0 @@
---
- name: Ensure that Munin is installed
openbsd_pkg:
name: '{{ item }}'
state: present
with_items:
- munin-server
- munin-node
tags:
- munin
- packages
- name: Set munin.conf file
template:
src: munin.conf.j2
dest: /etc/munin/munin.conf
mode: "0644"
tags:
- munin
- name: Create munin www directory
file:
path: '{{ munin_dir }}'
state: directory
owner: _munin
group: www
mode: "0755"
tags:
- munin
- name: Set munin-node config
template:
src: munin-node.conf.j2
dest: /etc/munin/munin-node.conf
mode: "0644"
notify: restart munin_node
tags:
- munin
- name: Install munin cron
copy:
src: "crontab"
dest: "/var/cron/tabs/_munin"
owner: "_munin"
group: "crontab"
tags:
- munin
- name: Enable munin plugins
file:
src: "/usr/local/libexec/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
with_items:
- cpu
- df
- df_inode
- load
- memory
- munin_stats
- netstat
- open_files
- pf_changes
- pf_searches
- pf_states
- processes
- systat
- uptime
- users
- vmstat
notify: restart munin_node
tags:
- munin
- name: Enable network graphs
file:
src: "/usr/local/libexec/munin/plugins/if_"
dest: "/etc/munin/plugins/if_{{ item }}"
state: link
notify: restart munin_node
with_items: "{{ ansible_interfaces }}"
- name: Enable sensors plugin unless VM detected
file:
src: /usr/local/libexec/munin/plugins/sensors_
dest: /etc/munin/plugins/sensors_temp
state: link
when: ansible_vio0 is undefined
notify: restart munin_node
tags:
- munin
- name: Activating munin_node
service:
name: munin_node
enabled: yes
state: started
tags:
- munin

51
nagios-nrpe/tasks/debian.yml
View file

@ -1,51 +0,0 @@
---
- name: packages are installed
apt:
name: "{{ item }}"
state: present
with_items:
- nagios-nrpe-server
- nagios-plugins
- nagios-plugins-basic
- nagios-plugins-common
- nagios-plugins-contrib
- nagios-plugins-standard
- name: custom configuration is present
template:
src: evolix.cfg.j2
dest: /etc/nagios/nrpe.d/evolix.cfg
group: nagios
mode: "0640"
notify: restart nagios-nrpe-server
- name: Nagios config is secured
file:
dest: /etc/nagios/
mode: "0750"
group: nagios
state: directory
notify: restart nagios-nrpe-server
- include: remount_usr_rw.yml
when: nagios_plugins_directory | search ("/usr")
tags:
- nagios-plugins
- name: Nagios plugins are installed
copy:
src: plugins/
dest: "{{ nagios_plugins_directory }}/"
mode: "0755"
notify: restart nagios-nrpe-server
tags:
- nagios-plugins
- name: Nagios lib is secured
file:
dest: /usr/local/lib/nagios/
mode: "0755"
group: nagios
recurse: yes
state: directory
notify: restart nagios-nrpe-server

55
nagios-nrpe/tasks/main.yml
View file

@ -1,10 +1,51 @@
---
- include: debian.yml
when: ansible_os_family == "Debian"
tags:
- nagios
- name: packages are installed
apt:
name: "{{ item }}"
state: present
with_items:
- nagios-nrpe-server
- nagios-plugins
- nagios-plugins-basic
- nagios-plugins-common
- nagios-plugins-contrib
- nagios-plugins-standard
- include: openbsd.yml
when: ansible_os_family == "OpenBSD"
- name: custom configuration is present
template:
src: evolix.cfg.j2
dest: /etc/nagios/nrpe.d/evolix.cfg
group: nagios
mode: "0640"
notify: restart nagios-nrpe-server
- name: Nagios config is secured
file:
dest: /etc/nagios/
mode: "0750"
group: nagios
state: directory
notify: restart nagios-nrpe-server
- include: remount_usr_rw.yml
when: nagios_plugins_directory | search ("/usr")
tags:
- nagios
- nagios-plugins
- name: Nagios plugins are installed
copy:
src: plugins/
dest: "{{ nagios_plugins_directory }}/"
mode: "0755"
notify: restart nagios-nrpe-server
tags:
- nagios-plugins
- name: Nagios lib is secured
file:
dest: /usr/local/lib/nagios/
mode: "0755"
group: nagios
recurse: yes
state: directory
notify: restart nagios-nrpe-server

42
nagios-nrpe/tasks/openbsd.yml
View file

@ -1,42 +0,0 @@
---
- name: packages are installed
openbsd_pkg:
name: "{{ item }}"
state: present
with_items:
- nrpe--
- monitoring-plugins
- name: Create nrpe.d dir
file:
path: /etc/nrpe.d
state: directory
owner: root
group: wheel
mode: "0755"
- name: Include nrpe.d dir in nrpe.cfg
lineinfile:
dest: /etc/nrpe.cfg
line: 'include_dir=/etc/nrpe.d'
- name: custom configuration is present
template:
src: evolix_bsd.cfg.j2
dest: /etc/nrpe.d/evolix.cfg
notify: restart nrpe
- name: Nagios plugins are installed
copy:
src: plugins_bsd/
dest: /usr/local/libexec/nagios/plugins/
owner: root
group: wheel
mode: "0755"
notify: restart nrpe
- name: Starting and enabling nrpe
service:
name: nrpe
enabled: yes
state: started

5
newsyslog/README.md
View file

@ -1,5 +0,0 @@
Role Name
=========
Configure newsyslog by Evolix standard

15
newsyslog/files/newsyslog.conf
View file

@ -1,15 +0,0 @@
# Syslog for Pack Evolix
# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST
# logfile_name owner:group mode count size when flags
/var/cron/log root:wheel 600 52 * 168 Z
/var/log/authlog root:wheel 640 52 * 168 Z
/var/log/daemon 640 52 * 168 Z
/var/log/lpd-errs 640 7 * 24 Z
/var/log/maillog 640 52 * 168 Z
/var/log/messages 644 52 * 168 Z
/var/log/secure 600 52 * 168 Z
/var/log/wtmp 644 7 * $W6D4 ZB
/var/log/xferlog 640 7 250 * Z
/var/log/pflog 600 3 250 * ZB "pkill -HUP -u root -U root -t - -x pflogd"
/var/www/logs/access.log 644 4 * $W0 Z "pkill -USR1 -u root -U root -x httpd"
/var/www/logs/error.log 644 7 250 * Z "pkill -USR1 -u root -U root -x httpd"

15
newsyslog/meta/main.yml
View file

@ -1,15 +0,0 @@
galaxy_info:
author: Evolix
description: Basic configuration of newsyslog
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
license: GPLv2
min_ansible_version: 2.2
platforms:
- name: OpenBSD
versions:
- 6.1

7
newsyslog/tasks/main.yml
View file

@ -1,7 +0,0 @@
---
#- include: debian.yml
# when: ansible_os_family == "Debian"
- include: openbsd.yml
when: ansible_os_family == "OpenBSD"

12
newsyslog/tasks/openbsd.yml
View file

@ -1,12 +0,0 @@
---
# no need to enable any daemon, it's run (by default) with cron(8)
- name: Configuring newsyslog
copy:
src: newsyslog.conf
dest: /etc/newsyslog.conf
owner: root
group: wheel
mode: "0644"
tags:
- log
- newsyslog

3
ntpd/defaults/main.yml
View file

@ -1,6 +1,7 @@
---
ntpd_only_local: True
ntpd_servers:
- 'pool.ntp.org'
- 'ntp.evolix.net'
ntpd_acls:
- '127.0.0.1'
- '::1'

5
ntpd/templates/ntp.conf.j2
View file

@ -2,6 +2,11 @@
driftfile /var/lib/ntp/ntp.drift
{% if ntpd_only_local is defined and ntpd_only_local %}
# Only listen on 127.0.0.1 and ::1
interface ignore wildcard
{% endif %}
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

1
squid/files/evolinux-defaults.conf
View file

@ -33,3 +33,4 @@ refresh_pattern . 0 20% 4320
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
include /etc/squid/evolinux-custom.conf

4
unbound/templates/unbound.conf.j2
View file

@ -15,11 +15,7 @@ server:
# root-hints: "/var/unbound/etc/named.cache"
# Uncomment to enable DNSSEC validation.
{% if ansible_os_family == "OpenBSD" %}
auto-trust-anchor-file: "/var/unbound/db/root.key"
{% else %}
#auto-trust-anchor-file: "/etc/unbound/root.key"
{% endif %}
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.

2
webapps/evoadmin-web/tasks/web.yml
View file

@ -43,6 +43,8 @@
src: config.local.php.j2
dest: "{{ evoadmin_document_root}}/conf/config.local.php"
mode: "0644"
owner: evoadmin
group: evoadmin
force: no
- name: add www-evoadmin to shadow group