evolinux-base: syntax
This commit is contained in:
parent
6f61a0744c
commit
8f25dfe041
|
@ -1,13 +1,13 @@
|
|||
---
|
||||
- name: /var/www is present
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /var/www
|
||||
state: directory
|
||||
mode: "0755"
|
||||
when: evolinux_default_www_files | bool
|
||||
|
||||
- name: images are copied
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: default_www/img
|
||||
dest: /var/www/
|
||||
mode: "0644"
|
||||
|
@ -16,7 +16,7 @@
|
|||
when: evolinux_default_www_files | bool
|
||||
|
||||
- name: index is copied
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: default_www/index.html.j2
|
||||
dest: /var/www/index.html
|
||||
mode: "0644"
|
||||
|
@ -28,21 +28,23 @@
|
|||
- name: Default certificate is present
|
||||
block:
|
||||
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
|
||||
ansible.builtin.command:
|
||||
cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
|
||||
args:
|
||||
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
- name: Adjust rights on private key
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /etc/ssl/private/{{ ansible_fqdn }}.key
|
||||
owner: root
|
||||
group: ssl-cert
|
||||
mode: "0640"
|
||||
|
||||
- name: Create certificate for default site
|
||||
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||
ansible.builtin.command:
|
||||
cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||
args:
|
||||
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
|
||||
when: evolinux_default_www_ssl_cert | bool
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
- name: dump-server-state script is present
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "dump-server-state.sh"
|
||||
dest: /usr/local/sbin/dump-server-state
|
||||
force: True
|
||||
|
@ -8,7 +8,7 @@
|
|||
mode: "0750"
|
||||
|
||||
- name: symlink backup-server-state to dump-server-state
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
src: /usr/local/sbin/dump-server-state
|
||||
dest: /usr/local/sbin/backup-server-state
|
||||
state: link
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
### This is taken care of by the evolinux-todo role
|
||||
# - name: /etc/evolinux exists
|
||||
# file:
|
||||
# ansible.builtin.file:
|
||||
# dest: /etc/evolinux
|
||||
# owner: root
|
||||
# group: root
|
||||
|
|
|
@ -4,69 +4,70 @@
|
|||
# TODO: try to use the custom mount_uuid module for a different approach
|
||||
|
||||
- name: Fetch fstab content
|
||||
command: "grep -v '^#' /etc/fstab"
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -v '^#' /etc/fstab"
|
||||
check_mode: no
|
||||
register: fstab_content
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
|
||||
- name: /home partition is customized
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/fstab
|
||||
regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)'
|
||||
replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3'
|
||||
notify: remount /home
|
||||
when:
|
||||
- fstab_content.stdout | regex_search('\s/home\s')
|
||||
- evolinux_fstab_home | bool
|
||||
- fstab_content.stdout | regex_search('\s/home\s')
|
||||
- evolinux_fstab_home | bool
|
||||
|
||||
- name: /tmp partition is customized
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/fstab
|
||||
regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)'
|
||||
replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3'
|
||||
when:
|
||||
- fstab_content.stdout | regex_search('\s/tmp\s')
|
||||
- evolinux_fstab_tmp | bool
|
||||
- fstab_content.stdout | regex_search('\s/tmp\s')
|
||||
- evolinux_fstab_tmp | bool
|
||||
|
||||
- name: /usr partition is customized
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/fstab
|
||||
regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)'
|
||||
replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3'
|
||||
when:
|
||||
- fstab_content.stdout | regex_search('\s/usr\s')
|
||||
- evolinux_fstab_usr | bool
|
||||
- fstab_content.stdout | regex_search('\s/usr\s')
|
||||
- evolinux_fstab_usr | bool
|
||||
|
||||
- name: /var partition is customized
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/fstab
|
||||
regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)'
|
||||
replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3'
|
||||
notify: remount /var
|
||||
when:
|
||||
- fstab_content.stdout | regex_search('\s/var\s')
|
||||
- evolinux_fstab_var | bool
|
||||
- fstab_content.stdout | regex_search('\s/var\s')
|
||||
- evolinux_fstab_var | bool
|
||||
|
||||
- name: /var/tmp is created
|
||||
mount:
|
||||
ansible.posix.mount:
|
||||
src: tmpfs
|
||||
name: /var/tmp
|
||||
fstype: tmpfs
|
||||
opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}"
|
||||
state: mounted
|
||||
when:
|
||||
- evolinux_fstab_var_tmp | bool
|
||||
- evolinux_fstab_var_tmp | bool
|
||||
|
||||
- name: /dev/shm is created (Debian 10 and later)
|
||||
mount:
|
||||
ansible.posix.mount:
|
||||
src: tmpfs
|
||||
name: /dev/shm
|
||||
fstype: tmpfs
|
||||
opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}"
|
||||
state: mounted
|
||||
when:
|
||||
- evolinux_fstab_dev_shm | bool
|
||||
- ansible_distribution_major_version is version('10', '>=')
|
||||
- evolinux_fstab_dev_shm | bool
|
||||
- ansible_distribution_major_version is version('10', '>=')
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,29 +1,29 @@
|
|||
---
|
||||
- name: dbus is installed
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: dbus
|
||||
state: present
|
||||
|
||||
- name: dbus is enabled and started
|
||||
service:
|
||||
ansible.builtin.systemd:
|
||||
name: dbus
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Set hostname "{{ evolinux_hostname }}"
|
||||
hostname:
|
||||
ansible.builtin.hostname:
|
||||
name: "{{ evolinux_hostname }}"
|
||||
when: evolinux_hostname_hosts | bool
|
||||
|
||||
- name: Set right localhost line in /etc/hosts
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/hosts
|
||||
regexp: '^127.0.0.1(\s+)localhost.*$'
|
||||
replace: '127.0.0.1\1localhost.localdomain localhost'
|
||||
when: evolinux_hostname_hosts | bool
|
||||
|
||||
- name: Set ip+fqdn+hostname in /etc/hosts
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/hosts
|
||||
regexp: '^{{ ansible_default_ipv4.address }}\s+'
|
||||
line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}"
|
||||
|
@ -31,14 +31,14 @@
|
|||
when: evolinux_hostname_hosts | bool
|
||||
|
||||
- name: 127.0.1.1 is removed
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/hosts
|
||||
regexp: '^127.0.1.1\s+'
|
||||
state: absent
|
||||
when: evolinux_hostname_hosts | bool
|
||||
|
||||
- name: /etc/mailname is up-to-date
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/mailname
|
||||
content: "{{ evolinux_fqdn }}\n"
|
||||
force: yes
|
||||
|
@ -47,18 +47,18 @@
|
|||
# Override facts
|
||||
|
||||
- name: Override ansible_hostname fact
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_hostname: "{{ evolinux_hostname }}"
|
||||
when: ansible_hostname != evolinux_hostname
|
||||
|
||||
- name: Override ansible_domain fact
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_domain: "{{ evolinux_domain }}"
|
||||
when: ansible_domain != evolinux_domain
|
||||
|
||||
- name: Override ansible_fqdn fact
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_fqdn: "{{ evolinux_fqdn }}"
|
||||
when: ansible_fqdn != evolinux_fqdn
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- name: "Use Cloud kernel on virtual servers"
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: "linux-image-cloud-amd64"
|
||||
state: present
|
||||
when:
|
||||
|
@ -10,7 +10,7 @@
|
|||
- evolinux_kernel_cloud_auto | bool
|
||||
|
||||
- name: "Remove non-Cloud kernel on virtual servers"
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: "linux-image-amd64"
|
||||
state: absent
|
||||
when:
|
||||
|
@ -19,7 +19,7 @@
|
|||
- evolinux_kernel_cloud_auto | bool
|
||||
|
||||
- name: Reboot after panic
|
||||
sysctl:
|
||||
ansible.posix.sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||
|
@ -31,7 +31,7 @@
|
|||
when: evolinux_kernel_reboot_after_panic | bool
|
||||
|
||||
- name: Don't reboot after panic
|
||||
sysctl:
|
||||
ansible.posix.sysctl:
|
||||
name: "{{ item }}"
|
||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||
state: absent
|
||||
|
@ -42,7 +42,7 @@
|
|||
when: not evolinux_kernel_reboot_after_panic | bool
|
||||
|
||||
- name: Disable net.ipv4.tcp_timestamps
|
||||
sysctl:
|
||||
ansible.posix.sysctl:
|
||||
name: net.ipv4.tcp_timestamps
|
||||
value: '0'
|
||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||
|
@ -51,7 +51,7 @@
|
|||
when: evolinux_kernel_disable_tcp_timestamps | bool
|
||||
|
||||
- name: Customize the swappiness
|
||||
sysctl:
|
||||
ansible.posix.sysctl:
|
||||
name: vm.swappiness
|
||||
value: "{{ evolinux_kernel_swappiness }}"
|
||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||
|
@ -60,7 +60,7 @@
|
|||
when: evolinux_kernel_customize_swappiness | bool
|
||||
|
||||
- name: Patch for TCP stack vulnerability CVE-2016-5696
|
||||
sysctl:
|
||||
ansible.posix.sysctl:
|
||||
name: net.ipv4.tcp_challenge_ack_limit
|
||||
value: "1073741823"
|
||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||
|
@ -69,7 +69,7 @@
|
|||
when: evolinux_kernel_cve20165696 | bool
|
||||
|
||||
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
|
||||
sysctl:
|
||||
ansible.posix.sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||
|
@ -81,4 +81,4 @@
|
|||
- { name: "net.ipv4.ipfrag_high_thresh", value: "262144" }
|
||||
- { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,24 +1,24 @@
|
|||
---
|
||||
- name: Deploy log2mail systemd unit
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: log2mail.service
|
||||
dest: /etc/systemd/system/log2mail.service
|
||||
mode: "0644"
|
||||
|
||||
- name: Remove log2mail sysvinit service
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /etc/init.d/log2mail
|
||||
state: absent
|
||||
|
||||
- name: Enable and start log2mail service
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: log2mail
|
||||
daemon-reload: yes
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: log2mail config is present
|
||||
blockinfile:
|
||||
ansible.builtin.blockinfile:
|
||||
dest: /etc/log2mail/config/default
|
||||
owner: log2mail
|
||||
group: adm
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# TODO: voir comment faire des backups initiaux des fichiers
|
||||
|
||||
- name: Copy rsyslog.conf
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: logs/rsyslog.conf
|
||||
dest: /etc/rsyslog.conf
|
||||
mode: "0644"
|
||||
|
@ -11,7 +11,8 @@
|
|||
when: evolinux_logs_rsyslog_conf | bool
|
||||
|
||||
- name: Disable logrotate default conf
|
||||
command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
|
||||
ansible.builtin.command:
|
||||
cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
|
||||
args:
|
||||
removes: /etc/logrotate.d/rsyslog
|
||||
creates: /etc/logrotate.d/rsyslog.disabled
|
||||
|
@ -19,33 +20,33 @@
|
|||
when: evolinux_logs_disable_logrotate_rsyslog | bool
|
||||
|
||||
- name: Copy many logrotate files
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: logs/logrotate.d/
|
||||
dest: /etc/logrotate.d/
|
||||
when: evolinux_logs_logrotate_confs | bool
|
||||
|
||||
- name: Copy rsyslog logrotate file
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: logs/zsyslog.j2
|
||||
dest: /etc/logrotate.d/zsyslog
|
||||
when: evolinux_logs_logrotate_confs | bool
|
||||
|
||||
- name: Configure logrotate.conf default rotate value
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/logrotate.conf
|
||||
regexp: "rotate [0-9]+"
|
||||
replace: "rotate 12"
|
||||
when: evolinux_logs_default_rotate | bool
|
||||
|
||||
- name: Enable logrotate.conf dateext option
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/logrotate.conf
|
||||
line: "dateext"
|
||||
regexp: "^#?\\s*dateext"
|
||||
when: evolinux_logs_default_dateext | bool
|
||||
|
||||
- name: Enable logrotate.conf dateformat option
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/logrotate.conf
|
||||
line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}"
|
||||
regexp: "^#?\\s*dateformat.*"
|
||||
|
@ -53,11 +54,11 @@
|
|||
when: evolinux_logs_default_dateext | bool
|
||||
|
||||
- name: Disable logrotate.conf dateyesterday option
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/logrotate.conf
|
||||
line: "# dateyesterday"
|
||||
regexp: "^\\s*dateyesterday"
|
||||
insertafter: 'dateext'
|
||||
when: evolinux_logs_default_dateext | bool
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
|
||||
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
|
||||
apt_upgrade: "{{ evolinux_apt_upgrade }}"
|
||||
apt_basics_components: "{{ 'main contrib non-free' if ansible_virtualization_role == 'host' else 'main' }}"
|
||||
apt_basics_components: "{{ ansible_virtualization_role == 'host' | ternary('main contrib non-free', 'main') }}"
|
||||
when: evolinux_apt_include | bool
|
||||
|
||||
- name: /etc versioning with Git
|
||||
|
@ -23,27 +23,27 @@
|
|||
when: evolinux_etcgit_include | bool
|
||||
|
||||
- name: /etc/evolinux base
|
||||
include: etc-evolinux.yml
|
||||
import_tasks: etc-evolinux.yml
|
||||
when: evolinux_etcevolinux_include | bool
|
||||
|
||||
- name: Hostname
|
||||
include: hostname.yml
|
||||
import_tasks: hostname.yml
|
||||
when: evolinux_hostname_include | bool
|
||||
|
||||
- name: Kernel tuning
|
||||
include: kernel.yml
|
||||
import_tasks: kernel.yml
|
||||
when: evolinux_kernel_include | bool
|
||||
|
||||
- name: Fstab configuration
|
||||
include: fstab.yml
|
||||
import_tasks: fstab.yml
|
||||
when: evolinux_fstab_include | bool
|
||||
|
||||
- name: Packages
|
||||
include: packages.yml
|
||||
import_tasks: packages.yml
|
||||
when: evolinux_packages_include | bool
|
||||
|
||||
- name: System settings
|
||||
include: system.yml
|
||||
import_tasks: system.yml
|
||||
when: evolinux_system_include | bool
|
||||
|
||||
- name: Minifirewall
|
||||
|
@ -67,41 +67,43 @@
|
|||
# when: evolinux_users_include
|
||||
|
||||
- name: Root user configuration
|
||||
include: root.yml
|
||||
import_tasks: root.yml
|
||||
when: evolinux_root_include | bool
|
||||
|
||||
- name: Postfix
|
||||
include: postfix.yml
|
||||
import_tasks: postfix.yml
|
||||
when: evolinux_postfix_include | bool
|
||||
|
||||
- name: Logs management
|
||||
include: logs.yml
|
||||
import_tasks: logs.yml
|
||||
when: evolinux_logs_include | bool
|
||||
|
||||
- name: Default index page
|
||||
include: default_www.yml
|
||||
import_tasks: default_www.yml
|
||||
when: evolinux_default_www_include | bool
|
||||
|
||||
- name: Hardware drivers and tools
|
||||
include: hardware.yml
|
||||
when: evolinux_hardware_include | bool
|
||||
import_tasks: hardware.yml
|
||||
when:
|
||||
- evolinux_hardware_include | bool
|
||||
- ansible_virtualization_role == "host"
|
||||
|
||||
- name: Customize for Online.net
|
||||
include: provider_online.yml
|
||||
import_tasks: provider_online.yml
|
||||
when: evolinux_provider_online_include | bool
|
||||
|
||||
- name: Customize for Orange FCE
|
||||
include: provider_orange_fce.yml
|
||||
import_tasks: provider_orange_fce.yml
|
||||
when: evolinux_provider_orange_fce_include | bool
|
||||
|
||||
- name: Override Log2mail service
|
||||
include: log2mail.yml
|
||||
import_tasks: log2mail.yml
|
||||
when: evolinux_log2mail_include | bool
|
||||
|
||||
- include: motd.yml
|
||||
- import_tasks: motd.yml
|
||||
when: evolinux_motd_include | bool
|
||||
|
||||
- include: utils.yml
|
||||
- import_tasks: utils.yml
|
||||
when: evolinux_utils_include | bool
|
||||
|
||||
- name: Munin
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: Deploy custom motd
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/motd
|
||||
force: True
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Install/Update system tools
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- locales
|
||||
- sudo
|
||||
|
@ -20,7 +20,7 @@
|
|||
when: evolinux_packages_system | bool
|
||||
|
||||
- name: Install/Update diagnostic tools
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- strace
|
||||
- htop
|
||||
|
@ -39,7 +39,7 @@
|
|||
when: evolinux_packages_diagnostic | bool
|
||||
|
||||
- name: Install/Update hardware tools
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- hdparm
|
||||
- smartmontools
|
||||
|
@ -47,7 +47,7 @@
|
|||
when: ansible_virtualization_role == "host"
|
||||
|
||||
- name: Install/Update common tools
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- vim
|
||||
- screen
|
||||
|
@ -62,21 +62,21 @@
|
|||
when: evolinux_packages_common | bool
|
||||
|
||||
- name: Be sure that openntpd package is absent/purged
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: openntpd
|
||||
state: absent
|
||||
purge: True
|
||||
when: evolinux_packages_purge_openntpd | bool
|
||||
|
||||
- name: the chrony package is absent
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: chrony
|
||||
purge: True
|
||||
state: absent
|
||||
when: evolinux_packages_purge_chrony | bool
|
||||
|
||||
- name: Be sure locate/mlocate is absent/purged
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- locate
|
||||
- mlocate
|
||||
|
@ -85,20 +85,20 @@
|
|||
when: evolinux_packages_purge_locate | bool
|
||||
|
||||
- name: Install/Update serveur-base meta-package
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: serveur-base
|
||||
allow_unauthenticated: yes
|
||||
when: evolinux_packages_serveur_base | bool
|
||||
|
||||
- name: Install/Update packages for Stretch and later
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: net-tools
|
||||
when:
|
||||
- evolinux_packages_stretch | bool
|
||||
- ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- name: Install/Update packages for Buster and later
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- spectre-meltdown-checker
|
||||
- binutils
|
||||
|
@ -107,14 +107,14 @@
|
|||
- ansible_distribution_major_version is version('10', '>=')
|
||||
|
||||
- name: Customize logcheck recipient
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/logcheck/logcheck.conf
|
||||
regexp: '^SENDMAILTO=".*"$'
|
||||
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
|
||||
when: evolinux_packages_logcheck_recipient | bool
|
||||
|
||||
- name: Deleting rpcbind and nfs-common
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- rpcbind
|
||||
- nfs-common
|
||||
|
@ -125,7 +125,7 @@
|
|||
# TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes)
|
||||
|
||||
- name: Configure Listchanges on Jessie
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/apt/listchanges.conf
|
||||
regexp: '^{{ item.option }}\s*='
|
||||
line: "{{ item.option }}={{ item.value }}"
|
||||
|
@ -138,7 +138,7 @@
|
|||
- ansible_distribution_release == "jessie"
|
||||
|
||||
- name: apt-listchanges is absent on Stretch and later
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: apt-listchanges
|
||||
state: absent
|
||||
when:
|
||||
|
@ -146,4 +146,4 @@
|
|||
- ansible_distribution_major_version is version('9', '>=')
|
||||
- evolinux_packages_delete_aptlistchanges
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
---
|
||||
|
||||
- name: Postfix packages are installed
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- postfix
|
||||
- mailgraph
|
||||
state: present
|
||||
when: evolinux_postfix_packages | bool
|
||||
tags:
|
||||
- packages
|
||||
- postfix
|
||||
when: evolinux_postfix_packages | bool
|
||||
|
||||
- name: configure postfix myhostname
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/postfix/main.cf
|
||||
state: present
|
||||
line: "myhostname = {{ evolinux_fqdn }}"
|
||||
|
@ -22,7 +22,7 @@
|
|||
- postfix
|
||||
|
||||
- name: configure postfix mynetworks
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/postfix/main.cf
|
||||
state: present
|
||||
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
|
||||
|
@ -32,8 +32,8 @@
|
|||
- postfix
|
||||
|
||||
- name: fetch users list
|
||||
shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root"
|
||||
args:
|
||||
ansible.builtin.shell:
|
||||
cmd: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root"
|
||||
executable: /bin/bash
|
||||
check_mode: no
|
||||
register: non_root_users_list
|
||||
|
@ -42,18 +42,18 @@
|
|||
- postfix
|
||||
|
||||
- name: each user is aliased to root
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/aliases
|
||||
regexp: "^{{ item }}:.*"
|
||||
line: "{{ item }}: root"
|
||||
loop: "{{ non_root_users_list.stdout_lines }}"
|
||||
notify: newaliases
|
||||
when: evolinux_postfix_users_alias_root | bool
|
||||
tags:
|
||||
- postfix
|
||||
when: evolinux_postfix_users_alias_root | bool
|
||||
|
||||
- name: additional users address aliased to root
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/aliases
|
||||
regexp: "^{{ item }}:.*"
|
||||
line: "{{ item }}: root"
|
||||
|
@ -65,24 +65,24 @@
|
|||
- error
|
||||
- bounce
|
||||
notify: newaliases
|
||||
when: evolinux_postfix_mailer_alias_root | bool
|
||||
tags:
|
||||
- postfix
|
||||
when: evolinux_postfix_mailer_alias_root | bool
|
||||
|
||||
- name: root alias is configured
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/aliases
|
||||
regexp: "^root:"
|
||||
line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}"
|
||||
notify: newaliases
|
||||
when: evolinux_postfix_root_alias | bool
|
||||
tags:
|
||||
- postfix
|
||||
when: evolinux_postfix_root_alias | bool
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: exim4 is absent
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- exim4
|
||||
- exim4-base
|
||||
|
@ -90,9 +90,9 @@
|
|||
- exim4-daemon-light
|
||||
purge: yes
|
||||
state: absent
|
||||
when: evolinux_postfix_purge_exim | bool
|
||||
tags:
|
||||
- packages
|
||||
- postfix
|
||||
when: evolinux_postfix_purge_exim | bool
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
- debug:
|
||||
- ansible.builtin.debug:
|
||||
msg: "Online DNS servers fails sometimes! Please change them in /etc/resolv.conf."
|
||||
|
||||
- name: custom NTP server for Online servers
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
nagios_nrpe_default_ntp_server: "ntp.online.net"
|
||||
|
||||
# - meta: flush_handlers
|
||||
# - ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
- name: Customize kernel for Orange FCE
|
||||
sysctl:
|
||||
ansible.posix.sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
sysctl_file: /etc/sysctl.d/evolinux_fce.conf
|
||||
|
@ -10,7 +10,7 @@
|
|||
- { name: net.ipv4.tcp_keepalive_intvl, value: 60 }
|
||||
- { name: net.ipv6.conf.all.disable_ipv6, value: 1 }
|
||||
|
||||
- debug:
|
||||
- ansible.builtin.debug:
|
||||
msg: "Orange DNS servers suck! Please change them in /etc/resolv.conf."
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
- name: Check if the virtual machine on VMWare Host
|
||||
shell: "dmidecode | grep -q 'VMware'"
|
||||
ansible.builtin.shell:
|
||||
cmd: "dmidecode | grep -q 'VMware'"
|
||||
check_mode: no
|
||||
register: vmware_provider
|
||||
failed_when: False
|
||||
|
@ -9,7 +10,7 @@
|
|||
- packages
|
||||
|
||||
- name: OpenVM Tools are installed for vmware
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
state: present
|
||||
name: open-vm-tools
|
||||
tags:
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
---
|
||||
|
||||
- name: chmod 700 /root
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /root
|
||||
state: directory
|
||||
mode: "0700"
|
||||
when: evolinux_root_chmod | bool
|
||||
|
||||
- name: "Customize root's bashrc..."
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /root/.bashrc
|
||||
line: "{{ item }}"
|
||||
create: yes
|
||||
|
@ -24,34 +24,35 @@
|
|||
## .bash_history should be append-only
|
||||
|
||||
- name: Create .bash_history if missing
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
content: ""
|
||||
dest: "/root/.bash_history"
|
||||
force: no
|
||||
when: evolinux_root_bash_history | bool
|
||||
|
||||
- name: Set umask in /root/.profile
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: "/root/.profile"
|
||||
line: "umask 0077"
|
||||
regexp: "umask [0-9]+"
|
||||
when: evolinux_root_umask | bool
|
||||
|
||||
- name: "/usr/share/scripts is present in root's PATH"
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: "/root/.profile"
|
||||
line: "PATH=\"${PATH}:/usr/share/scripts\""
|
||||
when: ansible_distribution_major_version is version('10', '>=')
|
||||
|
||||
- name: Custom git config for root
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: root/gitconfig
|
||||
dest: "/root/.gitconfig"
|
||||
force: no
|
||||
when: evolinux_root_gitconfig | bool
|
||||
|
||||
- name: Is .bash_history append-only
|
||||
shell: lsattr /root/.bash_history | grep -E "^.*a.* "
|
||||
ansible.builtin.shell:
|
||||
cmd: lsattr /root/.bash_history | grep -E "^.*a.* "
|
||||
check_mode: no
|
||||
register: bash_history_append_only
|
||||
failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
|
||||
|
@ -59,14 +60,15 @@
|
|||
changed_when: False
|
||||
|
||||
- name: Set .bash_history append-only
|
||||
command: chattr +a /root/.bash_history
|
||||
ansible.builtin.command:
|
||||
cmd: chattr +a /root/.bash_history
|
||||
when:
|
||||
- evolinux_root_bash_history_appendonly | bool
|
||||
- bash_history_append_only.rc != 0
|
||||
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
|
||||
- evolinux_root_bash_history_appendonly | bool
|
||||
- bash_history_append_only.rc != 0
|
||||
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
|
||||
|
||||
- name: Setting vim as selected-editor
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /root/.selected_editor
|
||||
regexp: '^SELECTED_EDITOR='
|
||||
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
|
||||
|
@ -74,7 +76,7 @@
|
|||
when: evolinux_root_vim_default | bool
|
||||
|
||||
- name: Setting vim root configuration
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /root/.vimrc
|
||||
line: "{{ item }}"
|
||||
create: yes
|
||||
|
@ -89,7 +91,7 @@
|
|||
when: evolinux_root_vim_conf | bool
|
||||
|
||||
- name: disable SSH access for root
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
|
@ -99,7 +101,7 @@
|
|||
|
||||
### Disabled : it seems useless and too dangerous for now
|
||||
# - name: remove root from AllowUsers directive
|
||||
# replace:
|
||||
# ansible.builtin.replace:
|
||||
# dest: /etc/ssh/sshd_config
|
||||
# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
|
||||
# replace: '\1\4'
|
||||
|
@ -107,4 +109,4 @@
|
|||
# notify: reload sshd
|
||||
# when: evolinux_root_disable_ssh
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
---
|
||||
|
||||
- name: /tmp must be world-writable
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /tmp
|
||||
state: directory
|
||||
mode: "u=rwx,g=rwx,o=rwxt"
|
||||
when: evolinux_system_chmod_tmp | bool
|
||||
|
||||
- name: Setting default locales
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/locale.gen
|
||||
line: "{{ item }}"
|
||||
create: yes
|
||||
|
@ -21,11 +21,12 @@
|
|||
when: evolinux_system_locales | bool
|
||||
|
||||
- name: Reconfigure locales
|
||||
command: /usr/sbin/locale-gen
|
||||
ansible.builtin.command:
|
||||
cmd: /usr/sbin/locale-gen
|
||||
when: evolinux_system_locales and default_locales is changed
|
||||
|
||||
- name: Setting default timezone
|
||||
timezone:
|
||||
community.general.timezone:
|
||||
name: "{{ evolinux_system_timezone | mandatory }}"
|
||||
notify: restart cron
|
||||
when: evolinux_system_set_timezone | bool
|
||||
|
@ -37,20 +38,20 @@
|
|||
name: evolix/remount-usr
|
||||
|
||||
- name: Ensure automagic vim conf is disabled
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/vim/vimrc
|
||||
regexp: 'let g:skip_defaults_vim ='
|
||||
line: 'let g:skip_defaults_vim = 1'
|
||||
when: evolinux_system_vim_skip_defaults | bool
|
||||
|
||||
- name: Setting vim as default editor
|
||||
alternatives:
|
||||
community.general.alternatives:
|
||||
name: editor
|
||||
path: /usr/bin/vim.basic
|
||||
when: evolinux_system_vim_default_editor | bool
|
||||
|
||||
- name: Add "umask 027" to /etc/profile.d/evolinux.sh
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/profile.d/evolinux.sh
|
||||
line: "umask 027"
|
||||
create: yes
|
||||
|
@ -58,7 +59,7 @@
|
|||
when: evolinux_system_profile | bool
|
||||
|
||||
- name: Set /etc/adduser.conf DIR_MODE to 0700
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/adduser.conf
|
||||
regexp: "^DIR_MODE=0755$"
|
||||
replace: "DIR_MODE=0700"
|
||||
|
@ -67,7 +68,7 @@
|
|||
# TODO: trouver comment ne pas faire ça sur Xen Dom-U
|
||||
|
||||
- name: Deactivating login on all tty except tty2
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/securetty
|
||||
line: "tty2"
|
||||
create: yes
|
||||
|
@ -75,7 +76,7 @@
|
|||
when: evolinux_system_restrict_securetty | bool
|
||||
|
||||
- name: Setting TMOUT to disconnect inactive users
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/profile.d/evolinux.sh
|
||||
line: "export TMOUT={{ evolinux_system_timeout }}"
|
||||
regexp: "^export TMOUT="
|
||||
|
@ -86,8 +87,8 @@
|
|||
#- name: Customizing /etc/fstab
|
||||
|
||||
- name: Check if cron is installed
|
||||
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||
args:
|
||||
ansible.builtin.shell:
|
||||
cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||
executable: /bin/bash
|
||||
check_mode: no
|
||||
failed_when: False
|
||||
|
@ -95,7 +96,7 @@
|
|||
register: is_cron_installed
|
||||
|
||||
- name: Set verbose logging for cron deamon
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/default/cron
|
||||
line: "EXTRA_OPTS='-L 15'"
|
||||
create: yes
|
||||
|
@ -105,7 +106,7 @@
|
|||
- evolinux_system_cron_verboselog | bool
|
||||
|
||||
- name: Modify default umask for cron deamon
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/default/cron
|
||||
line: "umask 022"
|
||||
create: yes
|
||||
|
@ -115,7 +116,7 @@
|
|||
- evolinux_system_cron_umask | bool
|
||||
|
||||
- name: Randomize periodic crontabs
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/crontab
|
||||
regexp: "{{ item.regexp }}"
|
||||
replace: "{{ item.replace }}"
|
||||
|
@ -134,7 +135,7 @@
|
|||
## alert5
|
||||
|
||||
- name: Install alert5 init script (jessie/stretch)
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: system/alert5.sysvinit.j2
|
||||
dest: /etc/init.d/alert5
|
||||
force: no
|
||||
|
@ -144,7 +145,7 @@
|
|||
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
|
||||
|
||||
- name: Enable alert5 init script (jessie/stretch)
|
||||
service:
|
||||
ansible.builtin.service:
|
||||
name: alert5
|
||||
enabled: yes
|
||||
when:
|
||||
|
@ -155,7 +156,7 @@
|
|||
|
||||
|
||||
- name: Install alert5 init script (buster and later)
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: system/alert5.sh.j2
|
||||
dest: /usr/share/scripts/alert5.sh
|
||||
force: no
|
||||
|
@ -165,7 +166,7 @@
|
|||
- ansible_distribution_major_version is version('10', '>=')
|
||||
|
||||
- name: Install alert5 service (buster and later)
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: alert5.service
|
||||
dest: /etc/systemd/system/alert5.service
|
||||
force: yes
|
||||
|
@ -175,7 +176,7 @@
|
|||
- ansible_distribution_major_version is version('10', '>=')
|
||||
|
||||
- name: Enable alert5 init script (buster and later)
|
||||
systemd:
|
||||
ansible.builtin.systemd:
|
||||
name: alert5
|
||||
daemon_reload: yes
|
||||
enabled: yes
|
||||
|
@ -188,14 +189,15 @@
|
|||
## network interfaces
|
||||
|
||||
- name: "Is there an \"allow-hotplug\" interface ?"
|
||||
command: grep allow-hotplug /etc/network/interfaces
|
||||
ansible.builtin.command:
|
||||
cmd: grep allow-hotplug /etc/network/interfaces
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: grep_hotplug_eni
|
||||
|
||||
- name: "Network interfaces must be \"auto\" and not \"allow-hotplug\""
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/network/interfaces
|
||||
regexp: "allow-hotplug"
|
||||
replace: "auto"
|
||||
|
@ -203,6 +205,4 @@
|
|||
- evolinux_system_eni_auto | bool
|
||||
- grep_hotplug_eni.rc == 0
|
||||
|
||||
## /sbin/deny
|
||||
|
||||
- meta: flush_handlers
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
file: dump-server-state.yml
|
||||
|
||||
- name: "/sbin/deny script is present"
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: deny.sh
|
||||
dest: /sbin/deny
|
||||
mode: "0700"
|
||||
|
@ -16,7 +16,7 @@
|
|||
force: no
|
||||
|
||||
- name: update-evobackup-canary script is present
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: update-evobackup-canary
|
||||
dest: /usr/local/bin/update-evobackup-canary
|
||||
force: True
|
||||
|
@ -26,26 +26,17 @@
|
|||
|
||||
# TODO: delete when this has been run once on all our servers
|
||||
- name: update-evobackup-canary is removed from sbin
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /usr/local/sbin/update-evobackup-canary
|
||||
state: absent
|
||||
|
||||
# - name: dir-check script is present
|
||||
# copy:
|
||||
# src: "dir-check.sh"
|
||||
# dest: /usr/local/bin/dir-check
|
||||
# force: True
|
||||
# owner: root
|
||||
# group: root
|
||||
# mode: "0755"
|
||||
|
||||
- name: Deploy htop configuration
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: htoprc
|
||||
dest: /etc/htoprc
|
||||
mode: "0644"
|
||||
|
||||
- name: Deploy top configuration file
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /etc/topdefaultrc
|
||||
state: absent
|
||||
|
|
Loading…
Reference in a new issue