evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

evolinux-base: syntax

Browse source
This commit is contained in:
Jérémy Lecour 2023-03-18 18:35:54 +01:00 committed by Jérémy Lecour
parent 6f61a0744c
commit 8f25dfe041
18 changed files with 175 additions and 175 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
evolinux-base/tasks/default_www.yml
View file

@ -1,13 +1,13 @@
---
- name: /var/www is present
file:
ansible.builtin.file:
path: /var/www
state: directory
mode: "0755"
when: evolinux_default_www_files | bool
- name: images are copied
copy:
ansible.builtin.copy:
src: default_www/img
dest: /var/www/
mode: "0644"
@ -16,7 +16,7 @@
when: evolinux_default_www_files | bool
- name: index is copied
template:
ansible.builtin.template:
src: default_www/index.html.j2
dest: /var/www/index.html
mode: "0644"
@ -28,21 +28,23 @@
- name: Default certificate is present
block:
- name: Create private key and csr for default site ({{ ansible_fqdn }})
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
ansible.builtin.command:
cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
args:
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
- name: Adjust rights on private key
file:
ansible.builtin.file:
path: /etc/ssl/private/{{ ansible_fqdn }}.key
owner: root
group: ssl-cert
mode: "0640"
- name: Create certificate for default site
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
ansible.builtin.command:
cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
args:
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
when: evolinux_default_www_ssl_cert | bool
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

4
evolinux-base/tasks/dump-server-state.yml
View file

@ -1,5 +1,5 @@
- name: dump-server-state script is present
copy:
ansible.builtin.copy:
src: "dump-server-state.sh"
dest: /usr/local/sbin/dump-server-state
force: True
@ -8,7 +8,7 @@
mode: "0750"
- name: symlink backup-server-state to dump-server-state
file:
ansible.builtin.file:
src: /usr/local/sbin/dump-server-state
dest: /usr/local/sbin/backup-server-state
state: link

2
evolinux-base/tasks/etc-evolinux.yml
View file

@ -2,7 +2,7 @@
### This is taken care of by the evolinux-todo role
# - name: /etc/evolinux exists
# file:
# ansible.builtin.file:
# dest: /etc/evolinux
# owner: root
# group: root

39
evolinux-base/tasks/fstab.yml
View file

@ -4,69 +4,70 @@
# TODO: try to use the custom mount_uuid module for a different approach
- name: Fetch fstab content
command: "grep -v '^#' /etc/fstab"
ansible.builtin.command:
cmd: "grep -v '^#' /etc/fstab"
check_mode: no
register: fstab_content
failed_when: False
changed_when: False
- name: /home partition is customized
replace:
ansible.builtin.replace:
dest: /etc/fstab
regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3'
notify: remount /home
when:
- fstab_content.stdout | regex_search('\s/home\s')
- evolinux_fstab_home | bool
- fstab_content.stdout | regex_search('\s/home\s')
- evolinux_fstab_home | bool
- name: /tmp partition is customized
replace:
ansible.builtin.replace:
dest: /etc/fstab
regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3'
when:
- fstab_content.stdout | regex_search('\s/tmp\s')
- evolinux_fstab_tmp | bool
- fstab_content.stdout | regex_search('\s/tmp\s')
- evolinux_fstab_tmp | bool
- name: /usr partition is customized
replace:
ansible.builtin.replace:
dest: /etc/fstab
regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3'
when:
- fstab_content.stdout | regex_search('\s/usr\s')
- evolinux_fstab_usr | bool
- fstab_content.stdout | regex_search('\s/usr\s')
- evolinux_fstab_usr | bool
- name: /var partition is customized
replace:
ansible.builtin.replace:
dest: /etc/fstab
regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3'
notify: remount /var
when:
- fstab_content.stdout | regex_search('\s/var\s')
- evolinux_fstab_var | bool
- fstab_content.stdout | regex_search('\s/var\s')
- evolinux_fstab_var | bool
- name: /var/tmp is created
mount:
ansible.posix.mount:
src: tmpfs
name: /var/tmp
fstype: tmpfs
opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}"
state: mounted
when:
- evolinux_fstab_var_tmp | bool
- evolinux_fstab_var_tmp | bool
- name: /dev/shm is created (Debian 10 and later)
mount:
ansible.posix.mount:
src: tmpfs
name: /dev/shm
fstype: tmpfs
opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}"
state: mounted
when:
- evolinux_fstab_dev_shm | bool
- ansible_distribution_major_version is version('10', '>=')
- evolinux_fstab_dev_shm | bool
- ansible_distribution_major_version is version('10', '>=')
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

22
evolinux-base/tasks/hostname.yml
View file

@ -1,29 +1,29 @@
---
- name: dbus is installed
apt:
ansible.builtin.apt:
name: dbus
state: present
- name: dbus is enabled and started
service:
ansible.builtin.systemd:
name: dbus
state: started
enabled: true
- name: Set hostname "{{ evolinux_hostname }}"
hostname:
ansible.builtin.hostname:
name: "{{ evolinux_hostname }}"
when: evolinux_hostname_hosts | bool
- name: Set right localhost line in /etc/hosts
replace:
ansible.builtin.replace:
dest: /etc/hosts
regexp: '^127.0.0.1(\s+)localhost.*$'
replace: '127.0.0.1\1localhost.localdomain localhost'
when: evolinux_hostname_hosts | bool
- name: Set ip+fqdn+hostname in /etc/hosts
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/hosts
regexp: '^{{ ansible_default_ipv4.address }}\s+'
line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}"
@ -31,14 +31,14 @@
when: evolinux_hostname_hosts | bool
- name: 127.0.1.1 is removed
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/hosts
regexp: '^127.0.1.1\s+'
state: absent
when: evolinux_hostname_hosts | bool
- name: /etc/mailname is up-to-date
copy:
ansible.builtin.copy:
dest: /etc/mailname
content: "{{ evolinux_fqdn }}\n"
force: yes
@ -47,18 +47,18 @@
# Override facts
- name: Override ansible_hostname fact
set_fact:
ansible.builtin.set_fact:
ansible_hostname: "{{ evolinux_hostname }}"
when: ansible_hostname != evolinux_hostname
- name: Override ansible_domain fact
set_fact:
ansible.builtin.set_fact:
ansible_domain: "{{ evolinux_domain }}"
when: ansible_domain != evolinux_domain
- name: Override ansible_fqdn fact
set_fact:
ansible.builtin.set_fact:
ansible_fqdn: "{{ evolinux_fqdn }}"
when: ansible_fqdn != evolinux_fqdn
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

18
evolinux-base/tasks/kernel.yml
View file

@ -1,7 +1,7 @@
---
- name: "Use Cloud kernel on virtual servers"
apt:
ansible.builtin.apt:
name: "linux-image-cloud-amd64"
state: present
when:
@ -10,7 +10,7 @@
- evolinux_kernel_cloud_auto | bool
- name: "Remove non-Cloud kernel on virtual servers"
apt:
ansible.builtin.apt:
name: "linux-image-amd64"
state: absent
when:
@ -19,7 +19,7 @@
- evolinux_kernel_cloud_auto | bool
- name: Reboot after panic
sysctl:
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -31,7 +31,7 @@
when: evolinux_kernel_reboot_after_panic | bool
- name: Don't reboot after panic
sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: absent
@ -42,7 +42,7 @@
when: not evolinux_kernel_reboot_after_panic | bool
- name: Disable net.ipv4.tcp_timestamps
sysctl:
ansible.posix.sysctl:
name: net.ipv4.tcp_timestamps
value: '0'
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -51,7 +51,7 @@
when: evolinux_kernel_disable_tcp_timestamps | bool
- name: Customize the swappiness
sysctl:
ansible.posix.sysctl:
name: vm.swappiness
value: "{{ evolinux_kernel_swappiness }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -60,7 +60,7 @@
when: evolinux_kernel_customize_swappiness | bool
- name: Patch for TCP stack vulnerability CVE-2016-5696
sysctl:
ansible.posix.sysctl:
name: net.ipv4.tcp_challenge_ack_limit
value: "1073741823"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -69,7 +69,7 @@
when: evolinux_kernel_cve20165696 | bool
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
sysctl:
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -81,4 +81,4 @@
- { name: "net.ipv4.ipfrag_high_thresh", value: "262144" }
- { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

8
evolinux-base/tasks/log2mail.yml
View file

@ -1,24 +1,24 @@
---
- name: Deploy log2mail systemd unit
copy:
ansible.builtin.copy:
src: log2mail.service
dest: /etc/systemd/system/log2mail.service
mode: "0644"
- name: Remove log2mail sysvinit service
file:
ansible.builtin.file:
path: /etc/init.d/log2mail
state: absent
- name: Enable and start log2mail service
systemd:
ansible.builtin.systemd:
name: log2mail
daemon-reload: yes
state: started
enabled: yes
- name: log2mail config is present
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/log2mail/config/default
owner: log2mail
group: adm

19
evolinux-base/tasks/logs.yml
View file

@ -3,7 +3,7 @@
# TODO: voir comment faire des backups initiaux des fichiers
- name: Copy rsyslog.conf
copy:
ansible.builtin.copy:
src: logs/rsyslog.conf
dest: /etc/rsyslog.conf
mode: "0644"
@ -11,7 +11,8 @@
when: evolinux_logs_rsyslog_conf | bool
- name: Disable logrotate default conf
command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
ansible.builtin.command:
cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
args:
removes: /etc/logrotate.d/rsyslog
creates: /etc/logrotate.d/rsyslog.disabled
@ -19,33 +20,33 @@
when: evolinux_logs_disable_logrotate_rsyslog | bool
- name: Copy many logrotate files
copy:
ansible.builtin.copy:
src: logs/logrotate.d/
dest: /etc/logrotate.d/
when: evolinux_logs_logrotate_confs | bool
- name: Copy rsyslog logrotate file
template:
ansible.builtin.template:
src: logs/zsyslog.j2
dest: /etc/logrotate.d/zsyslog
when: evolinux_logs_logrotate_confs | bool
- name: Configure logrotate.conf default rotate value
replace:
ansible.builtin.replace:
dest: /etc/logrotate.conf
regexp: "rotate [0-9]+"
replace: "rotate 12"
when: evolinux_logs_default_rotate | bool
- name: Enable logrotate.conf dateext option
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/logrotate.conf
line: "dateext"
regexp: "^#?\\s*dateext"
when: evolinux_logs_default_dateext | bool
- name: Enable logrotate.conf dateformat option
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/logrotate.conf
line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}"
regexp: "^#?\\s*dateformat.*"
@ -53,11 +54,11 @@
when: evolinux_logs_default_dateext | bool
- name: Disable logrotate.conf dateyesterday option
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/logrotate.conf
line: "# dateyesterday"
regexp: "^\\s*dateyesterday"
insertafter: 'dateext'
when: evolinux_logs_default_dateext | bool
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

38
evolinux-base/tasks/main.yml
View file

@ -14,7 +14,7 @@
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
apt_upgrade: "{{ evolinux_apt_upgrade }}"
apt_basics_components: "{{ 'main contrib non-free' if ansible_virtualization_role == 'host' else 'main' }}"
apt_basics_components: "{{ ansible_virtualization_role == 'host' | ternary('main contrib non-free', 'main') }}"
when: evolinux_apt_include | bool
- name: /etc versioning with Git
@ -23,27 +23,27 @@
when: evolinux_etcgit_include | bool
- name: /etc/evolinux base
include: etc-evolinux.yml
import_tasks: etc-evolinux.yml
when: evolinux_etcevolinux_include | bool
- name: Hostname
include: hostname.yml
import_tasks: hostname.yml
when: evolinux_hostname_include | bool
- name: Kernel tuning
include: kernel.yml
import_tasks: kernel.yml
when: evolinux_kernel_include | bool
- name: Fstab configuration
include: fstab.yml
import_tasks: fstab.yml
when: evolinux_fstab_include | bool
- name: Packages
include: packages.yml
import_tasks: packages.yml
when: evolinux_packages_include | bool
- name: System settings
include: system.yml
import_tasks: system.yml
when: evolinux_system_include | bool
- name: Minifirewall
@ -67,41 +67,43 @@
# when: evolinux_users_include
- name: Root user configuration
include: root.yml
import_tasks: root.yml
when: evolinux_root_include | bool
- name: Postfix
include: postfix.yml
import_tasks: postfix.yml
when: evolinux_postfix_include | bool
- name: Logs management
include: logs.yml
import_tasks: logs.yml
when: evolinux_logs_include | bool
- name: Default index page
include: default_www.yml
import_tasks: default_www.yml
when: evolinux_default_www_include | bool
- name: Hardware drivers and tools
include: hardware.yml
when: evolinux_hardware_include | bool
import_tasks: hardware.yml
when:
- evolinux_hardware_include | bool
- ansible_virtualization_role == "host"
- name: Customize for Online.net
include: provider_online.yml
import_tasks: provider_online.yml
when: evolinux_provider_online_include | bool
- name: Customize for Orange FCE
include: provider_orange_fce.yml
import_tasks: provider_orange_fce.yml
when: evolinux_provider_orange_fce_include | bool
- name: Override Log2mail service
include: log2mail.yml
import_tasks: log2mail.yml
when: evolinux_log2mail_include | bool
- include: motd.yml
- import_tasks: motd.yml
when: evolinux_motd_include | bool
- include: utils.yml
- import_tasks: utils.yml
when: evolinux_utils_include | bool
- name: Munin

2
evolinux-base/tasks/motd.yml
View file

@ -1,6 +1,6 @@
---
- name: Deploy custom motd
template:
ansible.builtin.template:
src: "{{ item }}"
dest: /etc/motd
force: True

30
evolinux-base/tasks/packages.yml
View file

@ -1,7 +1,7 @@
---
- name: Install/Update system tools
apt:
ansible.builtin.apt:
name:
- locales
- sudo
@ -20,7 +20,7 @@
when: evolinux_packages_system | bool
- name: Install/Update diagnostic tools
apt:
ansible.builtin.apt:
name:
- strace
- htop
@ -39,7 +39,7 @@
when: evolinux_packages_diagnostic | bool
- name: Install/Update hardware tools
apt:
ansible.builtin.apt:
name:
- hdparm
- smartmontools
@ -47,7 +47,7 @@
when: ansible_virtualization_role == "host"
- name: Install/Update common tools
apt:
ansible.builtin.apt:
name:
- vim
- screen
@ -62,21 +62,21 @@
when: evolinux_packages_common | bool
- name: Be sure that openntpd package is absent/purged
apt:
ansible.builtin.apt:
name: openntpd
state: absent
purge: True
when: evolinux_packages_purge_openntpd | bool
- name: the chrony package is absent
apt:
ansible.builtin.apt:
name: chrony
purge: True
state: absent
when: evolinux_packages_purge_chrony | bool
- name: Be sure locate/mlocate is absent/purged
apt:
ansible.builtin.apt:
name:
- locate
- mlocate
@ -85,20 +85,20 @@
when: evolinux_packages_purge_locate | bool
- name: Install/Update serveur-base meta-package
apt:
ansible.builtin.apt:
name: serveur-base
allow_unauthenticated: yes
when: evolinux_packages_serveur_base | bool
- name: Install/Update packages for Stretch and later
apt:
ansible.builtin.apt:
name: net-tools
when:
- evolinux_packages_stretch | bool
- ansible_distribution_major_version is version('9', '>=')
- name: Install/Update packages for Buster and later
apt:
ansible.builtin.apt:
name:
- spectre-meltdown-checker
- binutils
@ -107,14 +107,14 @@
- ansible_distribution_major_version is version('10', '>=')
- name: Customize logcheck recipient
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/logcheck/logcheck.conf
regexp: '^SENDMAILTO=".*"$'
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
when: evolinux_packages_logcheck_recipient | bool
- name: Deleting rpcbind and nfs-common
apt:
ansible.builtin.apt:
name:
- rpcbind
- nfs-common
@ -125,7 +125,7 @@
# TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes)
- name: Configure Listchanges on Jessie
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/listchanges.conf
regexp: '^{{ item.option }}\s*='
line: "{{ item.option }}={{ item.value }}"
@ -138,7 +138,7 @@
- ansible_distribution_release == "jessie"
- name: apt-listchanges is absent on Stretch and later
apt:
ansible.builtin.apt:
name: apt-listchanges
state: absent
when:
@ -146,4 +146,4 @@
- ansible_distribution_major_version is version('9', '>=')
- evolinux_packages_delete_aptlistchanges
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

32
evolinux-base/tasks/postfix.yml
View file

@ -1,18 +1,18 @@
---
- name: Postfix packages are installed
apt:
ansible.builtin.apt:
name:
- postfix
- mailgraph
state: present
when: evolinux_postfix_packages | bool
tags:
- packages
- postfix
when: evolinux_postfix_packages | bool
- name: configure postfix myhostname
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/postfix/main.cf
state: present
line: "myhostname = {{ evolinux_fqdn }}"
@ -22,7 +22,7 @@
- postfix
- name: configure postfix mynetworks
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/postfix/main.cf
state: present
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
@ -32,8 +32,8 @@
- postfix
- name: fetch users list
shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root"
executable: /bin/bash
check_mode: no
register: non_root_users_list
@ -42,18 +42,18 @@
- postfix
- name: each user is aliased to root
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/aliases
regexp: "^{{ item }}:.*"
line: "{{ item }}: root"
loop: "{{ non_root_users_list.stdout_lines }}"
notify: newaliases
when: evolinux_postfix_users_alias_root | bool
tags:
- postfix
when: evolinux_postfix_users_alias_root | bool
- name: additional users address aliased to root
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/aliases
regexp: "^{{ item }}:.*"
line: "{{ item }}: root"
@ -65,24 +65,24 @@
- error
- bounce
notify: newaliases
when: evolinux_postfix_mailer_alias_root | bool
tags:
- postfix
when: evolinux_postfix_mailer_alias_root | bool
- name: root alias is configured
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/aliases
regexp: "^root:"
line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}"
notify: newaliases
when: evolinux_postfix_root_alias | bool
tags:
- postfix
when: evolinux_postfix_root_alias | bool
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers
- name: exim4 is absent
apt:
ansible.builtin.apt:
name:
- exim4
- exim4-base
@ -90,9 +90,9 @@
- exim4-daemon-light
purge: yes
state: absent
when: evolinux_postfix_purge_exim | bool
tags:
- packages
- postfix
when: evolinux_postfix_purge_exim | bool
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

6
evolinux-base/tasks/provider_online.yml
View file

@ -1,8 +1,8 @@
- debug:
- ansible.builtin.debug:
msg: "Online DNS servers fails sometimes! Please change them in /etc/resolv.conf."
- name: custom NTP server for Online servers
set_fact:
ansible.builtin.set_fact:
nagios_nrpe_default_ntp_server: "ntp.online.net"
# - meta: flush_handlers
# - ansible.builtin.meta: flush_handlers

6
evolinux-base/tasks/provider_orange_fce.yml
View file

@ -1,5 +1,5 @@
- name: Customize kernel for Orange FCE
sysctl:
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_file: /etc/sysctl.d/evolinux_fce.conf
@ -10,7 +10,7 @@
- { name: net.ipv4.tcp_keepalive_intvl, value: 60 }
- { name: net.ipv6.conf.all.disable_ipv6, value: 1 }
- debug:
- ansible.builtin.debug:
msg: "Orange DNS servers suck! Please change them in /etc/resolv.conf."
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

5
evolinux-base/tasks/provider_vmware.yml
View file

@ -1,6 +1,7 @@
---
- name: Check if the virtual machine on VMWare Host
shell: "dmidecode | grep -q 'VMware'"
ansible.builtin.shell:
cmd: "dmidecode | grep -q 'VMware'"
check_mode: no
register: vmware_provider
failed_when: False
@ -9,7 +10,7 @@
- packages
- name: OpenVM Tools are installed for vmware
apt:
ansible.builtin.apt:
state: present
name: open-vm-tools
tags:

34
evolinux-base/tasks/root.yml
View file

@ -1,14 +1,14 @@
---
- name: chmod 700 /root
file:
ansible.builtin.file:
path: /root
state: directory
mode: "0700"
when: evolinux_root_chmod | bool
- name: "Customize root's bashrc..."
lineinfile:
ansible.builtin.lineinfile:
dest: /root/.bashrc
line: "{{ item }}"
create: yes
@ -24,34 +24,35 @@
## .bash_history should be append-only
- name: Create .bash_history if missing
copy:
ansible.builtin.copy:
content: ""
dest: "/root/.bash_history"
force: no
when: evolinux_root_bash_history | bool
- name: Set umask in /root/.profile
lineinfile:
ansible.builtin.lineinfile:
dest: "/root/.profile"
line: "umask 0077"
regexp: "umask [0-9]+"
when: evolinux_root_umask | bool
- name: "/usr/share/scripts is present in root's PATH"
lineinfile:
ansible.builtin.lineinfile:
dest: "/root/.profile"
line: "PATH=\"${PATH}:/usr/share/scripts\""
when: ansible_distribution_major_version is version('10', '>=')
- name: Custom git config for root
copy:
ansible.builtin.copy:
src: root/gitconfig
dest: "/root/.gitconfig"
force: no
when: evolinux_root_gitconfig | bool
- name: Is .bash_history append-only
shell: lsattr /root/.bash_history | grep -E "^.*a.* "
ansible.builtin.shell:
cmd: lsattr /root/.bash_history | grep -E "^.*a.* "
check_mode: no
register: bash_history_append_only
failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
@ -59,14 +60,15 @@
changed_when: False
- name: Set .bash_history append-only
command: chattr +a /root/.bash_history
ansible.builtin.command:
cmd: chattr +a /root/.bash_history
when:
- evolinux_root_bash_history_appendonly | bool
- bash_history_append_only.rc != 0
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
- evolinux_root_bash_history_appendonly | bool
- bash_history_append_only.rc != 0
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
- name: Setting vim as selected-editor
lineinfile:
ansible.builtin.lineinfile:
dest: /root/.selected_editor
regexp: '^SELECTED_EDITOR='
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
@ -74,7 +76,7 @@
when: evolinux_root_vim_default | bool
- name: Setting vim root configuration
lineinfile:
ansible.builtin.lineinfile:
dest: /root/.vimrc
line: "{{ item }}"
create: yes
@ -89,7 +91,7 @@
when: evolinux_root_vim_conf | bool
- name: disable SSH access for root
replace:
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
@ -99,7 +101,7 @@
### Disabled : it seems useless and too dangerous for now
# - name: remove root from AllowUsers directive
# replace:
# ansible.builtin.replace:
# dest: /etc/ssh/sshd_config
# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
# replace: '\1\4'
@ -107,4 +109,4 @@
# notify: reload sshd
# when: evolinux_root_disable_ssh
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

50
evolinux-base/tasks/system.yml
View file

@ -1,14 +1,14 @@
---
- name: /tmp must be world-writable
file:
ansible.builtin.file:
path: /tmp
state: directory
mode: "u=rwx,g=rwx,o=rwxt"
when: evolinux_system_chmod_tmp | bool
- name: Setting default locales
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/locale.gen
line: "{{ item }}"
create: yes
@ -21,11 +21,12 @@
when: evolinux_system_locales | bool
- name: Reconfigure locales
command: /usr/sbin/locale-gen
ansible.builtin.command:
cmd: /usr/sbin/locale-gen
when: evolinux_system_locales and default_locales is changed
- name: Setting default timezone
timezone:
community.general.timezone:
name: "{{ evolinux_system_timezone | mandatory }}"
notify: restart cron
when: evolinux_system_set_timezone | bool
@ -37,20 +38,20 @@
name: evolix/remount-usr
- name: Ensure automagic vim conf is disabled
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/vim/vimrc
regexp: 'let g:skip_defaults_vim ='
line: 'let g:skip_defaults_vim = 1'
when: evolinux_system_vim_skip_defaults | bool
- name: Setting vim as default editor
alternatives:
community.general.alternatives:
name: editor
path: /usr/bin/vim.basic
when: evolinux_system_vim_default_editor | bool
- name: Add "umask 027" to /etc/profile.d/evolinux.sh
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/profile.d/evolinux.sh
line: "umask 027"
create: yes
@ -58,7 +59,7 @@
when: evolinux_system_profile | bool
- name: Set /etc/adduser.conf DIR_MODE to 0700
replace:
ansible.builtin.replace:
dest: /etc/adduser.conf
regexp: "^DIR_MODE=0755$"
replace: "DIR_MODE=0700"
@ -67,7 +68,7 @@
# TODO: trouver comment ne pas faire ça sur Xen Dom-U
- name: Deactivating login on all tty except tty2
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/securetty
line: "tty2"
create: yes
@ -75,7 +76,7 @@
when: evolinux_system_restrict_securetty | bool
- name: Setting TMOUT to disconnect inactive users
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/profile.d/evolinux.sh
line: "export TMOUT={{ evolinux_system_timeout }}"
regexp: "^export TMOUT="
@ -86,8 +87,8 @@
#- name: Customizing /etc/fstab
- name: Check if cron is installed
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
executable: /bin/bash
check_mode: no
failed_when: False
@ -95,7 +96,7 @@
register: is_cron_installed
- name: Set verbose logging for cron deamon
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/default/cron
line: "EXTRA_OPTS='-L 15'"
create: yes
@ -105,7 +106,7 @@
- evolinux_system_cron_verboselog | bool
- name: Modify default umask for cron deamon
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/default/cron
line: "umask 022"
create: yes
@ -115,7 +116,7 @@
- evolinux_system_cron_umask | bool
- name: Randomize periodic crontabs
replace:
ansible.builtin.replace:
dest: /etc/crontab
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
@ -134,7 +135,7 @@
## alert5
- name: Install alert5 init script (jessie/stretch)
template:
ansible.builtin.template:
src: system/alert5.sysvinit.j2
dest: /etc/init.d/alert5
force: no
@ -144,7 +145,7 @@
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
- name: Enable alert5 init script (jessie/stretch)
service:
ansible.builtin.service:
name: alert5
enabled: yes
when:
@ -155,7 +156,7 @@
- name: Install alert5 init script (buster and later)
template:
ansible.builtin.template:
src: system/alert5.sh.j2
dest: /usr/share/scripts/alert5.sh
force: no
@ -165,7 +166,7 @@
- ansible_distribution_major_version is version('10', '>=')
- name: Install alert5 service (buster and later)
copy:
ansible.builtin.copy:
src: alert5.service
dest: /etc/systemd/system/alert5.service
force: yes
@ -175,7 +176,7 @@
- ansible_distribution_major_version is version('10', '>=')
- name: Enable alert5 init script (buster and later)
systemd:
ansible.builtin.systemd:
name: alert5
daemon_reload: yes
enabled: yes
@ -188,14 +189,15 @@
## network interfaces
- name: "Is there an \"allow-hotplug\" interface ?"
command: grep allow-hotplug /etc/network/interfaces
ansible.builtin.command:
cmd: grep allow-hotplug /etc/network/interfaces
failed_when: False
changed_when: False
check_mode: no
register: grep_hotplug_eni
- name: "Network interfaces must be \"auto\" and not \"allow-hotplug\""
replace:
ansible.builtin.replace:
dest: /etc/network/interfaces
regexp: "allow-hotplug"
replace: "auto"
@ -203,6 +205,4 @@
- evolinux_system_eni_auto | bool
- grep_hotplug_eni.rc == 0
## /sbin/deny
- meta: flush_handlers
- ansible.builtin.meta: flush_handlers

19
evolinux-base/tasks/utils.yml
View file

@ -7,7 +7,7 @@
file: dump-server-state.yml
- name: "/sbin/deny script is present"
copy:
ansible.builtin.copy:
src: deny.sh
dest: /sbin/deny
mode: "0700"
@ -16,7 +16,7 @@
force: no
- name: update-evobackup-canary script is present
copy:
ansible.builtin.copy:
src: update-evobackup-canary
dest: /usr/local/bin/update-evobackup-canary
force: True
@ -26,26 +26,17 @@
# TODO: delete when this has been run once on all our servers
- name: update-evobackup-canary is removed from sbin
file:
ansible.builtin.file:
path: /usr/local/sbin/update-evobackup-canary
state: absent
# - name: dir-check script is present
# copy:
# src: "dir-check.sh"
# dest: /usr/local/bin/dir-check
# force: True
# owner: root
# group: root
# mode: "0755"
- name: Deploy htop configuration
copy:
ansible.builtin.copy:
src: htoprc
dest: /etc/htoprc
mode: "0644"
- name: Deploy top configuration file
file:
ansible.builtin.file:
path: /etc/topdefaultrc
state: absent