From 8f25dfe041af6fe8a7d0cdcbc37a809791aec93b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 18:35:54 +0100 Subject: [PATCH] evolinux-base: syntax --- evolinux-base/tasks/default_www.yml | 16 ++++--- evolinux-base/tasks/dump-server-state.yml | 4 +- evolinux-base/tasks/etc-evolinux.yml | 2 +- evolinux-base/tasks/fstab.yml | 39 ++++++++-------- evolinux-base/tasks/hostname.yml | 22 ++++----- evolinux-base/tasks/kernel.yml | 18 ++++---- evolinux-base/tasks/log2mail.yml | 8 ++-- evolinux-base/tasks/logs.yml | 19 ++++---- evolinux-base/tasks/main.yml | 38 ++++++++-------- evolinux-base/tasks/motd.yml | 2 +- evolinux-base/tasks/packages.yml | 30 ++++++------- evolinux-base/tasks/postfix.yml | 32 ++++++------- evolinux-base/tasks/provider_online.yml | 6 +-- evolinux-base/tasks/provider_orange_fce.yml | 6 +-- evolinux-base/tasks/provider_vmware.yml | 5 ++- evolinux-base/tasks/root.yml | 34 +++++++------- evolinux-base/tasks/system.yml | 50 ++++++++++----------- evolinux-base/tasks/utils.yml | 19 +++----- 18 files changed, 175 insertions(+), 175 deletions(-) diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 84580b54..2d94fe2b 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -1,13 +1,13 @@ --- - name: /var/www is present - file: + ansible.builtin.file: path: /var/www state: directory mode: "0755" when: evolinux_default_www_files | bool - name: images are copied - copy: + ansible.builtin.copy: src: default_www/img dest: /var/www/ mode: "0644" @@ -16,7 +16,7 @@ when: evolinux_default_www_files | bool - name: index is copied - template: + ansible.builtin.template: src: default_www/index.html.j2 dest: /var/www/index.html mode: "0644" @@ -28,21 +28,23 @@ - name: Default certificate is present block: - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}" + ansible.builtin.command: + cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}" args: creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" - name: Adjust rights on private key - file: + ansible.builtin.file: path: /etc/ssl/private/{{ ansible_fqdn }}.key owner: root group: ssl-cert mode: "0640" - name: Create certificate for default site - command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt + ansible.builtin.command: + cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt args: creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" when: evolinux_default_www_ssl_cert | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/dump-server-state.yml b/evolinux-base/tasks/dump-server-state.yml index 7d4a55cd..33822377 100644 --- a/evolinux-base/tasks/dump-server-state.yml +++ b/evolinux-base/tasks/dump-server-state.yml @@ -1,5 +1,5 @@ - name: dump-server-state script is present - copy: + ansible.builtin.copy: src: "dump-server-state.sh" dest: /usr/local/sbin/dump-server-state force: True @@ -8,7 +8,7 @@ mode: "0750" - name: symlink backup-server-state to dump-server-state - file: + ansible.builtin.file: src: /usr/local/sbin/dump-server-state dest: /usr/local/sbin/backup-server-state state: link diff --git a/evolinux-base/tasks/etc-evolinux.yml b/evolinux-base/tasks/etc-evolinux.yml index 56b0a976..e8ceb996 100644 --- a/evolinux-base/tasks/etc-evolinux.yml +++ b/evolinux-base/tasks/etc-evolinux.yml @@ -2,7 +2,7 @@ ### This is taken care of by the evolinux-todo role # - name: /etc/evolinux exists -# file: +# ansible.builtin.file: # dest: /etc/evolinux # owner: root # group: root diff --git a/evolinux-base/tasks/fstab.yml b/evolinux-base/tasks/fstab.yml index a3933844..a99ba692 100644 --- a/evolinux-base/tasks/fstab.yml +++ b/evolinux-base/tasks/fstab.yml @@ -4,69 +4,70 @@ # TODO: try to use the custom mount_uuid module for a different approach - name: Fetch fstab content - command: "grep -v '^#' /etc/fstab" + ansible.builtin.command: + cmd: "grep -v '^#' /etc/fstab" check_mode: no register: fstab_content failed_when: False changed_when: False - name: /home partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3' notify: remount /home when: - - fstab_content.stdout | regex_search('\s/home\s') - - evolinux_fstab_home | bool + - fstab_content.stdout | regex_search('\s/home\s') + - evolinux_fstab_home | bool - name: /tmp partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3' when: - - fstab_content.stdout | regex_search('\s/tmp\s') - - evolinux_fstab_tmp | bool + - fstab_content.stdout | regex_search('\s/tmp\s') + - evolinux_fstab_tmp | bool - name: /usr partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3' when: - - fstab_content.stdout | regex_search('\s/usr\s') - - evolinux_fstab_usr | bool + - fstab_content.stdout | regex_search('\s/usr\s') + - evolinux_fstab_usr | bool - name: /var partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3' notify: remount /var when: - - fstab_content.stdout | regex_search('\s/var\s') - - evolinux_fstab_var | bool + - fstab_content.stdout | regex_search('\s/var\s') + - evolinux_fstab_var | bool - name: /var/tmp is created - mount: + ansible.posix.mount: src: tmpfs name: /var/tmp fstype: tmpfs opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}" state: mounted when: - - evolinux_fstab_var_tmp | bool + - evolinux_fstab_var_tmp | bool - name: /dev/shm is created (Debian 10 and later) - mount: + ansible.posix.mount: src: tmpfs name: /dev/shm fstype: tmpfs opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}" state: mounted when: - - evolinux_fstab_dev_shm | bool - - ansible_distribution_major_version is version('10', '>=') + - evolinux_fstab_dev_shm | bool + - ansible_distribution_major_version is version('10', '>=') -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index ec3f99d1..b283a51e 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -1,29 +1,29 @@ --- - name: dbus is installed - apt: + ansible.builtin.apt: name: dbus state: present - name: dbus is enabled and started - service: + ansible.builtin.systemd: name: dbus state: started enabled: true - name: Set hostname "{{ evolinux_hostname }}" - hostname: + ansible.builtin.hostname: name: "{{ evolinux_hostname }}" when: evolinux_hostname_hosts | bool - name: Set right localhost line in /etc/hosts - replace: + ansible.builtin.replace: dest: /etc/hosts regexp: '^127.0.0.1(\s+)localhost.*$' replace: '127.0.0.1\1localhost.localdomain localhost' when: evolinux_hostname_hosts | bool - name: Set ip+fqdn+hostname in /etc/hosts - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts regexp: '^{{ ansible_default_ipv4.address }}\s+' line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}" @@ -31,14 +31,14 @@ when: evolinux_hostname_hosts | bool - name: 127.0.1.1 is removed - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts regexp: '^127.0.1.1\s+' state: absent when: evolinux_hostname_hosts | bool - name: /etc/mailname is up-to-date - copy: + ansible.builtin.copy: dest: /etc/mailname content: "{{ evolinux_fqdn }}\n" force: yes @@ -47,18 +47,18 @@ # Override facts - name: Override ansible_hostname fact - set_fact: + ansible.builtin.set_fact: ansible_hostname: "{{ evolinux_hostname }}" when: ansible_hostname != evolinux_hostname - name: Override ansible_domain fact - set_fact: + ansible.builtin.set_fact: ansible_domain: "{{ evolinux_domain }}" when: ansible_domain != evolinux_domain - name: Override ansible_fqdn fact - set_fact: + ansible.builtin.set_fact: ansible_fqdn: "{{ evolinux_fqdn }}" when: ansible_fqdn != evolinux_fqdn -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index 62569b08..da3abf57 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -1,7 +1,7 @@ --- - name: "Use Cloud kernel on virtual servers" - apt: + ansible.builtin.apt: name: "linux-image-cloud-amd64" state: present when: @@ -10,7 +10,7 @@ - evolinux_kernel_cloud_auto | bool - name: "Remove non-Cloud kernel on virtual servers" - apt: + ansible.builtin.apt: name: "linux-image-amd64" state: absent when: @@ -19,7 +19,7 @@ - evolinux_kernel_cloud_auto | bool - name: Reboot after panic - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -31,7 +31,7 @@ when: evolinux_kernel_reboot_after_panic | bool - name: Don't reboot after panic - sysctl: + ansible.posix.sysctl: name: "{{ item }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: absent @@ -42,7 +42,7 @@ when: not evolinux_kernel_reboot_after_panic | bool - name: Disable net.ipv4.tcp_timestamps - sysctl: + ansible.posix.sysctl: name: net.ipv4.tcp_timestamps value: '0' sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -51,7 +51,7 @@ when: evolinux_kernel_disable_tcp_timestamps | bool - name: Customize the swappiness - sysctl: + ansible.posix.sysctl: name: vm.swappiness value: "{{ evolinux_kernel_swappiness }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -60,7 +60,7 @@ when: evolinux_kernel_customize_swappiness | bool - name: Patch for TCP stack vulnerability CVE-2016-5696 - sysctl: + ansible.posix.sysctl: name: net.ipv4.tcp_challenge_ack_limit value: "1073741823" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -69,7 +69,7 @@ when: evolinux_kernel_cve20165696 | bool - name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack) - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -81,4 +81,4 @@ - { name: "net.ipv4.ipfrag_high_thresh", value: "262144" } - { name: "net.ipv6.ip6frag_high_thresh", value: "262144" } -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 35ce19cf..9a1f3314 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -1,24 +1,24 @@ --- - name: Deploy log2mail systemd unit - copy: + ansible.builtin.copy: src: log2mail.service dest: /etc/systemd/system/log2mail.service mode: "0644" - name: Remove log2mail sysvinit service - file: + ansible.builtin.file: path: /etc/init.d/log2mail state: absent - name: Enable and start log2mail service - systemd: + ansible.builtin.systemd: name: log2mail daemon-reload: yes state: started enabled: yes - name: log2mail config is present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/log2mail/config/default owner: log2mail group: adm diff --git a/evolinux-base/tasks/logs.yml b/evolinux-base/tasks/logs.yml index 8298486e..a6dd97ad 100644 --- a/evolinux-base/tasks/logs.yml +++ b/evolinux-base/tasks/logs.yml @@ -3,7 +3,7 @@ # TODO: voir comment faire des backups initiaux des fichiers - name: Copy rsyslog.conf - copy: + ansible.builtin.copy: src: logs/rsyslog.conf dest: /etc/rsyslog.conf mode: "0644" @@ -11,7 +11,8 @@ when: evolinux_logs_rsyslog_conf | bool - name: Disable logrotate default conf - command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled + ansible.builtin.command: + cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled args: removes: /etc/logrotate.d/rsyslog creates: /etc/logrotate.d/rsyslog.disabled @@ -19,33 +20,33 @@ when: evolinux_logs_disable_logrotate_rsyslog | bool - name: Copy many logrotate files - copy: + ansible.builtin.copy: src: logs/logrotate.d/ dest: /etc/logrotate.d/ when: evolinux_logs_logrotate_confs | bool - name: Copy rsyslog logrotate file - template: + ansible.builtin.template: src: logs/zsyslog.j2 dest: /etc/logrotate.d/zsyslog when: evolinux_logs_logrotate_confs | bool - name: Configure logrotate.conf default rotate value - replace: + ansible.builtin.replace: dest: /etc/logrotate.conf regexp: "rotate [0-9]+" replace: "rotate 12" when: evolinux_logs_default_rotate | bool - name: Enable logrotate.conf dateext option - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.conf line: "dateext" regexp: "^#?\\s*dateext" when: evolinux_logs_default_dateext | bool - name: Enable logrotate.conf dateformat option - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.conf line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}" regexp: "^#?\\s*dateformat.*" @@ -53,11 +54,11 @@ when: evolinux_logs_default_dateext | bool - name: Disable logrotate.conf dateyesterday option - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.conf line: "# dateyesterday" regexp: "^\\s*dateyesterday" insertafter: 'dateext' when: evolinux_logs_default_dateext | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index ecbfe069..29a77524 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -14,7 +14,7 @@ apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" apt_install_evolix_public: "{{ evolinux_apt_public_sources }}" apt_upgrade: "{{ evolinux_apt_upgrade }}" - apt_basics_components: "{{ 'main contrib non-free' if ansible_virtualization_role == 'host' else 'main' }}" + apt_basics_components: "{{ ansible_virtualization_role == 'host' | ternary('main contrib non-free', 'main') }}" when: evolinux_apt_include | bool - name: /etc versioning with Git @@ -23,27 +23,27 @@ when: evolinux_etcgit_include | bool - name: /etc/evolinux base - include: etc-evolinux.yml + import_tasks: etc-evolinux.yml when: evolinux_etcevolinux_include | bool - name: Hostname - include: hostname.yml + import_tasks: hostname.yml when: evolinux_hostname_include | bool - name: Kernel tuning - include: kernel.yml + import_tasks: kernel.yml when: evolinux_kernel_include | bool - name: Fstab configuration - include: fstab.yml + import_tasks: fstab.yml when: evolinux_fstab_include | bool - name: Packages - include: packages.yml + import_tasks: packages.yml when: evolinux_packages_include | bool - name: System settings - include: system.yml + import_tasks: system.yml when: evolinux_system_include | bool - name: Minifirewall @@ -67,41 +67,43 @@ # when: evolinux_users_include - name: Root user configuration - include: root.yml + import_tasks: root.yml when: evolinux_root_include | bool - name: Postfix - include: postfix.yml + import_tasks: postfix.yml when: evolinux_postfix_include | bool - name: Logs management - include: logs.yml + import_tasks: logs.yml when: evolinux_logs_include | bool - name: Default index page - include: default_www.yml + import_tasks: default_www.yml when: evolinux_default_www_include | bool - name: Hardware drivers and tools - include: hardware.yml - when: evolinux_hardware_include | bool + import_tasks: hardware.yml + when: + - evolinux_hardware_include | bool + - ansible_virtualization_role == "host" - name: Customize for Online.net - include: provider_online.yml + import_tasks: provider_online.yml when: evolinux_provider_online_include | bool - name: Customize for Orange FCE - include: provider_orange_fce.yml + import_tasks: provider_orange_fce.yml when: evolinux_provider_orange_fce_include | bool - name: Override Log2mail service - include: log2mail.yml + import_tasks: log2mail.yml when: evolinux_log2mail_include | bool -- include: motd.yml +- import_tasks: motd.yml when: evolinux_motd_include | bool -- include: utils.yml +- import_tasks: utils.yml when: evolinux_utils_include | bool - name: Munin diff --git a/evolinux-base/tasks/motd.yml b/evolinux-base/tasks/motd.yml index 70079463..0d0b7157 100644 --- a/evolinux-base/tasks/motd.yml +++ b/evolinux-base/tasks/motd.yml @@ -1,6 +1,6 @@ --- - name: Deploy custom motd - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/motd force: True diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 4c2249e3..f8af347a 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -1,7 +1,7 @@ --- - name: Install/Update system tools - apt: + ansible.builtin.apt: name: - locales - sudo @@ -20,7 +20,7 @@ when: evolinux_packages_system | bool - name: Install/Update diagnostic tools - apt: + ansible.builtin.apt: name: - strace - htop @@ -39,7 +39,7 @@ when: evolinux_packages_diagnostic | bool - name: Install/Update hardware tools - apt: + ansible.builtin.apt: name: - hdparm - smartmontools @@ -47,7 +47,7 @@ when: ansible_virtualization_role == "host" - name: Install/Update common tools - apt: + ansible.builtin.apt: name: - vim - screen @@ -62,21 +62,21 @@ when: evolinux_packages_common | bool - name: Be sure that openntpd package is absent/purged - apt: + ansible.builtin.apt: name: openntpd state: absent purge: True when: evolinux_packages_purge_openntpd | bool - name: the chrony package is absent - apt: + ansible.builtin.apt: name: chrony purge: True state: absent when: evolinux_packages_purge_chrony | bool - name: Be sure locate/mlocate is absent/purged - apt: + ansible.builtin.apt: name: - locate - mlocate @@ -85,20 +85,20 @@ when: evolinux_packages_purge_locate | bool - name: Install/Update serveur-base meta-package - apt: + ansible.builtin.apt: name: serveur-base allow_unauthenticated: yes when: evolinux_packages_serveur_base | bool - name: Install/Update packages for Stretch and later - apt: + ansible.builtin.apt: name: net-tools when: - evolinux_packages_stretch | bool - ansible_distribution_major_version is version('9', '>=') - name: Install/Update packages for Buster and later - apt: + ansible.builtin.apt: name: - spectre-meltdown-checker - binutils @@ -107,14 +107,14 @@ - ansible_distribution_major_version is version('10', '>=') - name: Customize logcheck recipient - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logcheck/logcheck.conf regexp: '^SENDMAILTO=".*"$' line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"' when: evolinux_packages_logcheck_recipient | bool - name: Deleting rpcbind and nfs-common - apt: + ansible.builtin.apt: name: - rpcbind - nfs-common @@ -125,7 +125,7 @@ # TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes) - name: Configure Listchanges on Jessie - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/listchanges.conf regexp: '^{{ item.option }}\s*=' line: "{{ item.option }}={{ item.value }}" @@ -138,7 +138,7 @@ - ansible_distribution_release == "jessie" - name: apt-listchanges is absent on Stretch and later - apt: + ansible.builtin.apt: name: apt-listchanges state: absent when: @@ -146,4 +146,4 @@ - ansible_distribution_major_version is version('9', '>=') - evolinux_packages_delete_aptlistchanges -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 6a46548b..1c5d986c 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -1,18 +1,18 @@ --- - name: Postfix packages are installed - apt: + ansible.builtin.apt: name: - postfix - mailgraph state: present - when: evolinux_postfix_packages | bool tags: - packages - postfix + when: evolinux_postfix_packages | bool - name: configure postfix myhostname - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/main.cf state: present line: "myhostname = {{ evolinux_fqdn }}" @@ -22,7 +22,7 @@ - postfix - name: configure postfix mynetworks - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/main.cf state: present line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost" @@ -32,8 +32,8 @@ - postfix - name: fetch users list - shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" executable: /bin/bash check_mode: no register: non_root_users_list @@ -42,18 +42,18 @@ - postfix - name: each user is aliased to root - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases regexp: "^{{ item }}:.*" line: "{{ item }}: root" loop: "{{ non_root_users_list.stdout_lines }}" notify: newaliases - when: evolinux_postfix_users_alias_root | bool tags: - postfix + when: evolinux_postfix_users_alias_root | bool - name: additional users address aliased to root - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases regexp: "^{{ item }}:.*" line: "{{ item }}: root" @@ -65,24 +65,24 @@ - error - bounce notify: newaliases - when: evolinux_postfix_mailer_alias_root | bool tags: - postfix + when: evolinux_postfix_mailer_alias_root | bool - name: root alias is configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases regexp: "^root:" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" notify: newaliases - when: evolinux_postfix_root_alias | bool tags: - postfix + when: evolinux_postfix_root_alias | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers - name: exim4 is absent - apt: + ansible.builtin.apt: name: - exim4 - exim4-base @@ -90,9 +90,9 @@ - exim4-daemon-light purge: yes state: absent - when: evolinux_postfix_purge_exim | bool tags: - packages - postfix + when: evolinux_postfix_purge_exim | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/provider_online.yml b/evolinux-base/tasks/provider_online.yml index 8174d15c..5696e504 100644 --- a/evolinux-base/tasks/provider_online.yml +++ b/evolinux-base/tasks/provider_online.yml @@ -1,8 +1,8 @@ -- debug: +- ansible.builtin.debug: msg: "Online DNS servers fails sometimes! Please change them in /etc/resolv.conf." - name: custom NTP server for Online servers - set_fact: + ansible.builtin.set_fact: nagios_nrpe_default_ntp_server: "ntp.online.net" -# - meta: flush_handlers +# - ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/provider_orange_fce.yml b/evolinux-base/tasks/provider_orange_fce.yml index 4b9a26c7..c861ccd1 100644 --- a/evolinux-base/tasks/provider_orange_fce.yml +++ b/evolinux-base/tasks/provider_orange_fce.yml @@ -1,5 +1,5 @@ - name: Customize kernel for Orange FCE - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/evolinux_fce.conf @@ -10,7 +10,7 @@ - { name: net.ipv4.tcp_keepalive_intvl, value: 60 } - { name: net.ipv6.conf.all.disable_ipv6, value: 1 } -- debug: +- ansible.builtin.debug: msg: "Orange DNS servers suck! Please change them in /etc/resolv.conf." -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/provider_vmware.yml b/evolinux-base/tasks/provider_vmware.yml index dbf93d0e..04daa219 100644 --- a/evolinux-base/tasks/provider_vmware.yml +++ b/evolinux-base/tasks/provider_vmware.yml @@ -1,6 +1,7 @@ --- - name: Check if the virtual machine on VMWare Host - shell: "dmidecode | grep -q 'VMware'" + ansible.builtin.shell: + cmd: "dmidecode | grep -q 'VMware'" check_mode: no register: vmware_provider failed_when: False @@ -9,7 +10,7 @@ - packages - name: OpenVM Tools are installed for vmware - apt: + ansible.builtin.apt: state: present name: open-vm-tools tags: diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 3e3d6add..3b17faf7 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -1,14 +1,14 @@ --- - name: chmod 700 /root - file: + ansible.builtin.file: path: /root state: directory mode: "0700" when: evolinux_root_chmod | bool - name: "Customize root's bashrc..." - lineinfile: + ansible.builtin.lineinfile: dest: /root/.bashrc line: "{{ item }}" create: yes @@ -24,34 +24,35 @@ ## .bash_history should be append-only - name: Create .bash_history if missing - copy: + ansible.builtin.copy: content: "" dest: "/root/.bash_history" force: no when: evolinux_root_bash_history | bool - name: Set umask in /root/.profile - lineinfile: + ansible.builtin.lineinfile: dest: "/root/.profile" line: "umask 0077" regexp: "umask [0-9]+" when: evolinux_root_umask | bool - name: "/usr/share/scripts is present in root's PATH" - lineinfile: + ansible.builtin.lineinfile: dest: "/root/.profile" line: "PATH=\"${PATH}:/usr/share/scripts\"" when: ansible_distribution_major_version is version('10', '>=') - name: Custom git config for root - copy: + ansible.builtin.copy: src: root/gitconfig dest: "/root/.gitconfig" force: no when: evolinux_root_gitconfig | bool - name: Is .bash_history append-only - shell: lsattr /root/.bash_history | grep -E "^.*a.* " + ansible.builtin.shell: + cmd: lsattr /root/.bash_history | grep -E "^.*a.* " check_mode: no register: bash_history_append_only failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr" @@ -59,14 +60,15 @@ changed_when: False - name: Set .bash_history append-only - command: chattr +a /root/.bash_history + ansible.builtin.command: + cmd: chattr +a /root/.bash_history when: - - evolinux_root_bash_history_appendonly | bool - - bash_history_append_only.rc != 0 - - "'Inappropriate ioctl' not in bash_history_append_only.stderr" + - evolinux_root_bash_history_appendonly | bool + - bash_history_append_only.rc != 0 + - "'Inappropriate ioctl' not in bash_history_append_only.stderr" - name: Setting vim as selected-editor - lineinfile: + ansible.builtin.lineinfile: dest: /root/.selected_editor regexp: '^SELECTED_EDITOR=' line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\"" @@ -74,7 +76,7 @@ when: evolinux_root_vim_default | bool - name: Setting vim root configuration - lineinfile: + ansible.builtin.lineinfile: dest: /root/.vimrc line: "{{ item }}" create: yes @@ -89,7 +91,7 @@ when: evolinux_root_vim_conf | bool - name: disable SSH access for root - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" @@ -99,7 +101,7 @@ ### Disabled : it seems useless and too dangerous for now # - name: remove root from AllowUsers directive -# replace: +# ansible.builtin.replace: # dest: /etc/ssh/sshd_config # regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' # replace: '\1\4' @@ -107,4 +109,4 @@ # notify: reload sshd # when: evolinux_root_disable_ssh -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 5d71e827..c6965e09 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -1,14 +1,14 @@ --- - name: /tmp must be world-writable - file: + ansible.builtin.file: path: /tmp state: directory mode: "u=rwx,g=rwx,o=rwxt" when: evolinux_system_chmod_tmp | bool - name: Setting default locales - lineinfile: + ansible.builtin.lineinfile: dest: /etc/locale.gen line: "{{ item }}" create: yes @@ -21,11 +21,12 @@ when: evolinux_system_locales | bool - name: Reconfigure locales - command: /usr/sbin/locale-gen + ansible.builtin.command: + cmd: /usr/sbin/locale-gen when: evolinux_system_locales and default_locales is changed - name: Setting default timezone - timezone: + community.general.timezone: name: "{{ evolinux_system_timezone | mandatory }}" notify: restart cron when: evolinux_system_set_timezone | bool @@ -37,20 +38,20 @@ name: evolix/remount-usr - name: Ensure automagic vim conf is disabled - lineinfile: + ansible.builtin.lineinfile: dest: /etc/vim/vimrc regexp: 'let g:skip_defaults_vim =' line: 'let g:skip_defaults_vim = 1' when: evolinux_system_vim_skip_defaults | bool - name: Setting vim as default editor - alternatives: + community.general.alternatives: name: editor path: /usr/bin/vim.basic when: evolinux_system_vim_default_editor | bool - name: Add "umask 027" to /etc/profile.d/evolinux.sh - lineinfile: + ansible.builtin.lineinfile: dest: /etc/profile.d/evolinux.sh line: "umask 027" create: yes @@ -58,7 +59,7 @@ when: evolinux_system_profile | bool - name: Set /etc/adduser.conf DIR_MODE to 0700 - replace: + ansible.builtin.replace: dest: /etc/adduser.conf regexp: "^DIR_MODE=0755$" replace: "DIR_MODE=0700" @@ -67,7 +68,7 @@ # TODO: trouver comment ne pas faire ça sur Xen Dom-U - name: Deactivating login on all tty except tty2 - lineinfile: + ansible.builtin.lineinfile: dest: /etc/securetty line: "tty2" create: yes @@ -75,7 +76,7 @@ when: evolinux_system_restrict_securetty | bool - name: Setting TMOUT to disconnect inactive users - lineinfile: + ansible.builtin.lineinfile: dest: /etc/profile.d/evolinux.sh line: "export TMOUT={{ evolinux_system_timeout }}" regexp: "^export TMOUT=" @@ -86,8 +87,8 @@ #- name: Customizing /etc/fstab - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -95,7 +96,7 @@ register: is_cron_installed - name: Set verbose logging for cron deamon - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/cron line: "EXTRA_OPTS='-L 15'" create: yes @@ -105,7 +106,7 @@ - evolinux_system_cron_verboselog | bool - name: Modify default umask for cron deamon - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/cron line: "umask 022" create: yes @@ -115,7 +116,7 @@ - evolinux_system_cron_umask | bool - name: Randomize periodic crontabs - replace: + ansible.builtin.replace: dest: /etc/crontab regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" @@ -134,7 +135,7 @@ ## alert5 - name: Install alert5 init script (jessie/stretch) - template: + ansible.builtin.template: src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 force: no @@ -144,7 +145,7 @@ - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" - name: Enable alert5 init script (jessie/stretch) - service: + ansible.builtin.service: name: alert5 enabled: yes when: @@ -155,7 +156,7 @@ - name: Install alert5 init script (buster and later) - template: + ansible.builtin.template: src: system/alert5.sh.j2 dest: /usr/share/scripts/alert5.sh force: no @@ -165,7 +166,7 @@ - ansible_distribution_major_version is version('10', '>=') - name: Install alert5 service (buster and later) - copy: + ansible.builtin.copy: src: alert5.service dest: /etc/systemd/system/alert5.service force: yes @@ -175,7 +176,7 @@ - ansible_distribution_major_version is version('10', '>=') - name: Enable alert5 init script (buster and later) - systemd: + ansible.builtin.systemd: name: alert5 daemon_reload: yes enabled: yes @@ -188,14 +189,15 @@ ## network interfaces - name: "Is there an \"allow-hotplug\" interface ?" - command: grep allow-hotplug /etc/network/interfaces + ansible.builtin.command: + cmd: grep allow-hotplug /etc/network/interfaces failed_when: False changed_when: False check_mode: no register: grep_hotplug_eni - name: "Network interfaces must be \"auto\" and not \"allow-hotplug\"" - replace: + ansible.builtin.replace: dest: /etc/network/interfaces regexp: "allow-hotplug" replace: "auto" @@ -203,6 +205,4 @@ - evolinux_system_eni_auto | bool - grep_hotplug_eni.rc == 0 -## /sbin/deny - -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index c8aa58e8..76fbac82 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -7,7 +7,7 @@ file: dump-server-state.yml - name: "/sbin/deny script is present" - copy: + ansible.builtin.copy: src: deny.sh dest: /sbin/deny mode: "0700" @@ -16,7 +16,7 @@ force: no - name: update-evobackup-canary script is present - copy: + ansible.builtin.copy: src: update-evobackup-canary dest: /usr/local/bin/update-evobackup-canary force: True @@ -26,26 +26,17 @@ # TODO: delete when this has been run once on all our servers - name: update-evobackup-canary is removed from sbin - file: + ansible.builtin.file: path: /usr/local/sbin/update-evobackup-canary state: absent -# - name: dir-check script is present -# copy: -# src: "dir-check.sh" -# dest: /usr/local/bin/dir-check -# force: True -# owner: root -# group: root -# mode: "0755" - - name: Deploy htop configuration - copy: + ansible.builtin.copy: src: htoprc dest: /etc/htoprc mode: "0644" - name: Deploy top configuration file - file: + ansible.builtin.file: path: /etc/topdefaultrc state: absent