evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 19 Releases 33 Wiki Activity

evolinux-base: syntax

Browse source
This commit is contained in:
Jérémy Lecour 2023-03-18 18:35:54 +01:00 committed by Jérémy Lecour
parent 6f61a0744c
commit 8f25dfe041
18 changed files with 175 additions and 175 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
evolinux-base/tasks/default_www.yml
View file

@ -1,13 +1,13 @@
--- ---
- name: /var/www is present - name: /var/www is present
file: ansible.builtin.file:
path: /var/www path: /var/www
state: directory state: directory
mode: "0755" mode: "0755"
when: evolinux_default_www_files | bool when: evolinux_default_www_files | bool
- name: images are copied - name: images are copied
copy: ansible.builtin.copy:
src: default_www/img src: default_www/img
dest: /var/www/ dest: /var/www/
mode: "0644" mode: "0644"
@ -16,7 +16,7 @@
when: evolinux_default_www_files | bool when: evolinux_default_www_files | bool
- name: index is copied - name: index is copied
template: ansible.builtin.template:
src: default_www/index.html.j2 src: default_www/index.html.j2
dest: /var/www/index.html dest: /var/www/index.html
mode: "0644" mode: "0644"
@ -28,21 +28,23 @@
- name: Default certificate is present - name: Default certificate is present
block: block:
- name: Create private key and csr for default site ({{ ansible_fqdn }}) - name: Create private key and csr for default site ({{ ansible_fqdn }})
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}" ansible.builtin.command:
cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
args: args:
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
- name: Adjust rights on private key - name: Adjust rights on private key
file: ansible.builtin.file:
path: /etc/ssl/private/{{ ansible_fqdn }}.key path: /etc/ssl/private/{{ ansible_fqdn }}.key
owner: root owner: root
group: ssl-cert group: ssl-cert
mode: "0640" mode: "0640"
- name: Create certificate for default site - name: Create certificate for default site
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt ansible.builtin.command:
cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
args: args:
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
when: evolinux_default_www_ssl_cert | bool when: evolinux_default_www_ssl_cert | bool
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

4
evolinux-base/tasks/dump-server-state.yml
View file

@ -1,5 +1,5 @@
- name: dump-server-state script is present - name: dump-server-state script is present
copy: ansible.builtin.copy:
src: "dump-server-state.sh" src: "dump-server-state.sh"
dest: /usr/local/sbin/dump-server-state dest: /usr/local/sbin/dump-server-state
force: True force: True
@ -8,7 +8,7 @@
mode: "0750" mode: "0750"
- name: symlink backup-server-state to dump-server-state - name: symlink backup-server-state to dump-server-state
file: ansible.builtin.file:
src: /usr/local/sbin/dump-server-state src: /usr/local/sbin/dump-server-state
dest: /usr/local/sbin/backup-server-state dest: /usr/local/sbin/backup-server-state
state: link state: link

2
evolinux-base/tasks/etc-evolinux.yml
View file

@ -2,7 +2,7 @@
### This is taken care of by the evolinux-todo role ### This is taken care of by the evolinux-todo role
# - name: /etc/evolinux exists # - name: /etc/evolinux exists
# file: # ansible.builtin.file:
# dest: /etc/evolinux # dest: /etc/evolinux
# owner: root # owner: root
# group: root # group: root

39
evolinux-base/tasks/fstab.yml
View file

@ -4,69 +4,70 @@
# TODO: try to use the custom mount_uuid module for a different approach # TODO: try to use the custom mount_uuid module for a different approach
- name: Fetch fstab content - name: Fetch fstab content
command: "grep -v '^#' /etc/fstab" ansible.builtin.command:
cmd: "grep -v '^#' /etc/fstab"
check_mode: no check_mode: no
register: fstab_content register: fstab_content
failed_when: False failed_when: False
changed_when: False changed_when: False
- name: /home partition is customized - name: /home partition is customized
replace: ansible.builtin.replace:
dest: /etc/fstab dest: /etc/fstab
regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)' regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3' replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3'
notify: remount /home notify: remount /home
when: when:
- fstab_content.stdout | regex_search('\s/home\s') - fstab_content.stdout | regex_search('\s/home\s')
- evolinux_fstab_home | bool - evolinux_fstab_home | bool
- name: /tmp partition is customized - name: /tmp partition is customized
replace: ansible.builtin.replace:
dest: /etc/fstab dest: /etc/fstab
regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)' regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3' replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3'
when: when:
- fstab_content.stdout | regex_search('\s/tmp\s') - fstab_content.stdout | regex_search('\s/tmp\s')
- evolinux_fstab_tmp | bool - evolinux_fstab_tmp | bool
- name: /usr partition is customized - name: /usr partition is customized
replace: ansible.builtin.replace:
dest: /etc/fstab dest: /etc/fstab
regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)' regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3' replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3'
when: when:
- fstab_content.stdout | regex_search('\s/usr\s') - fstab_content.stdout | regex_search('\s/usr\s')
- evolinux_fstab_usr | bool - evolinux_fstab_usr | bool
- name: /var partition is customized - name: /var partition is customized
replace: ansible.builtin.replace:
dest: /etc/fstab dest: /etc/fstab
regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)' regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3' replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3'
notify: remount /var notify: remount /var
when: when:
- fstab_content.stdout | regex_search('\s/var\s') - fstab_content.stdout | regex_search('\s/var\s')
- evolinux_fstab_var | bool - evolinux_fstab_var | bool
- name: /var/tmp is created - name: /var/tmp is created
mount: ansible.posix.mount:
src: tmpfs src: tmpfs
name: /var/tmp name: /var/tmp
fstype: tmpfs fstype: tmpfs
opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}" opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}"
state: mounted state: mounted
when: when:
- evolinux_fstab_var_tmp | bool - evolinux_fstab_var_tmp | bool
- name: /dev/shm is created (Debian 10 and later) - name: /dev/shm is created (Debian 10 and later)
mount: ansible.posix.mount:
src: tmpfs src: tmpfs
name: /dev/shm name: /dev/shm
fstype: tmpfs fstype: tmpfs
opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}" opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}"
state: mounted state: mounted
when: when:
- evolinux_fstab_dev_shm | bool - evolinux_fstab_dev_shm | bool
- ansible_distribution_major_version is version('10', '>=') - ansible_distribution_major_version is version('10', '>=')
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

22
evolinux-base/tasks/hostname.yml
View file

@ -1,29 +1,29 @@
--- ---
- name: dbus is installed - name: dbus is installed
apt: ansible.builtin.apt:
name: dbus name: dbus
state: present state: present
- name: dbus is enabled and started - name: dbus is enabled and started
service: ansible.builtin.systemd:
name: dbus name: dbus
state: started state: started
enabled: true enabled: true
- name: Set hostname "{{ evolinux_hostname }}" - name: Set hostname "{{ evolinux_hostname }}"
hostname: ansible.builtin.hostname:
name: "{{ evolinux_hostname }}" name: "{{ evolinux_hostname }}"
when: evolinux_hostname_hosts | bool when: evolinux_hostname_hosts | bool
- name: Set right localhost line in /etc/hosts - name: Set right localhost line in /etc/hosts
replace: ansible.builtin.replace:
dest: /etc/hosts dest: /etc/hosts
regexp: '^127.0.0.1(\s+)localhost.*$' regexp: '^127.0.0.1(\s+)localhost.*$'
replace: '127.0.0.1\1localhost.localdomain localhost' replace: '127.0.0.1\1localhost.localdomain localhost'
when: evolinux_hostname_hosts | bool when: evolinux_hostname_hosts | bool
- name: Set ip+fqdn+hostname in /etc/hosts - name: Set ip+fqdn+hostname in /etc/hosts
lineinfile: ansible.builtin.lineinfile:
dest: /etc/hosts dest: /etc/hosts
regexp: '^{{ ansible_default_ipv4.address }}\s+' regexp: '^{{ ansible_default_ipv4.address }}\s+'
line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}" line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}"
@ -31,14 +31,14 @@
when: evolinux_hostname_hosts | bool when: evolinux_hostname_hosts | bool
- name: 127.0.1.1 is removed - name: 127.0.1.1 is removed
lineinfile: ansible.builtin.lineinfile:
dest: /etc/hosts dest: /etc/hosts
regexp: '^127.0.1.1\s+' regexp: '^127.0.1.1\s+'
state: absent state: absent
when: evolinux_hostname_hosts | bool when: evolinux_hostname_hosts | bool
- name: /etc/mailname is up-to-date - name: /etc/mailname is up-to-date
copy: ansible.builtin.copy:
dest: /etc/mailname dest: /etc/mailname
content: "{{ evolinux_fqdn }}\n" content: "{{ evolinux_fqdn }}\n"
force: yes force: yes
@ -47,18 +47,18 @@
# Override facts # Override facts
- name: Override ansible_hostname fact - name: Override ansible_hostname fact
set_fact: ansible.builtin.set_fact:
ansible_hostname: "{{ evolinux_hostname }}" ansible_hostname: "{{ evolinux_hostname }}"
when: ansible_hostname != evolinux_hostname when: ansible_hostname != evolinux_hostname
- name: Override ansible_domain fact - name: Override ansible_domain fact
set_fact: ansible.builtin.set_fact:
ansible_domain: "{{ evolinux_domain }}" ansible_domain: "{{ evolinux_domain }}"
when: ansible_domain != evolinux_domain when: ansible_domain != evolinux_domain
- name: Override ansible_fqdn fact - name: Override ansible_fqdn fact
set_fact: ansible.builtin.set_fact:
ansible_fqdn: "{{ evolinux_fqdn }}" ansible_fqdn: "{{ evolinux_fqdn }}"
when: ansible_fqdn != evolinux_fqdn when: ansible_fqdn != evolinux_fqdn
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

18
evolinux-base/tasks/kernel.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: "Use Cloud kernel on virtual servers" - name: "Use Cloud kernel on virtual servers"
apt: ansible.builtin.apt:
name: "linux-image-cloud-amd64" name: "linux-image-cloud-amd64"
state: present state: present
when: when:
@ -10,7 +10,7 @@
- evolinux_kernel_cloud_auto | bool - evolinux_kernel_cloud_auto | bool
- name: "Remove non-Cloud kernel on virtual servers" - name: "Remove non-Cloud kernel on virtual servers"
apt: ansible.builtin.apt:
name: "linux-image-amd64" name: "linux-image-amd64"
state: absent state: absent
when: when:
@ -19,7 +19,7 @@
- evolinux_kernel_cloud_auto | bool - evolinux_kernel_cloud_auto | bool
- name: Reboot after panic - name: Reboot after panic
sysctl: ansible.posix.sysctl:
name: "{{ item.name }}" name: "{{ item.name }}"
value: "{{ item.value }}" value: "{{ item.value }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -31,7 +31,7 @@
when: evolinux_kernel_reboot_after_panic | bool when: evolinux_kernel_reboot_after_panic | bool
- name: Don't reboot after panic - name: Don't reboot after panic
sysctl: ansible.posix.sysctl:
name: "{{ item }}" name: "{{ item }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: absent state: absent
@ -42,7 +42,7 @@
when: not evolinux_kernel_reboot_after_panic | bool when: not evolinux_kernel_reboot_after_panic | bool
- name: Disable net.ipv4.tcp_timestamps - name: Disable net.ipv4.tcp_timestamps
sysctl: ansible.posix.sysctl:
name: net.ipv4.tcp_timestamps name: net.ipv4.tcp_timestamps
value: '0' value: '0'
sysctl_file: "{{ evolinux_kernel_sysctl_path }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -51,7 +51,7 @@
when: evolinux_kernel_disable_tcp_timestamps | bool when: evolinux_kernel_disable_tcp_timestamps | bool
- name: Customize the swappiness - name: Customize the swappiness
sysctl: ansible.posix.sysctl:
name: vm.swappiness name: vm.swappiness
value: "{{ evolinux_kernel_swappiness }}" value: "{{ evolinux_kernel_swappiness }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -60,7 +60,7 @@
when: evolinux_kernel_customize_swappiness | bool when: evolinux_kernel_customize_swappiness | bool
- name: Patch for TCP stack vulnerability CVE-2016-5696 - name: Patch for TCP stack vulnerability CVE-2016-5696
sysctl: ansible.posix.sysctl:
name: net.ipv4.tcp_challenge_ack_limit name: net.ipv4.tcp_challenge_ack_limit
value: "1073741823" value: "1073741823"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -69,7 +69,7 @@
when: evolinux_kernel_cve20165696 | bool when: evolinux_kernel_cve20165696 | bool
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack) - name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
sysctl: ansible.posix.sysctl:
name: "{{ item.name }}" name: "{{ item.name }}"
value: "{{ item.value }}" value: "{{ item.value }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
@ -81,4 +81,4 @@
- { name: "net.ipv4.ipfrag_high_thresh", value: "262144" } - { name: "net.ipv4.ipfrag_high_thresh", value: "262144" }
- { name: "net.ipv6.ip6frag_high_thresh", value: "262144" } - { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

8
evolinux-base/tasks/log2mail.yml
View file

@ -1,24 +1,24 @@
--- ---
- name: Deploy log2mail systemd unit - name: Deploy log2mail systemd unit
copy: ansible.builtin.copy:
src: log2mail.service src: log2mail.service
dest: /etc/systemd/system/log2mail.service dest: /etc/systemd/system/log2mail.service
mode: "0644" mode: "0644"
- name: Remove log2mail sysvinit service - name: Remove log2mail sysvinit service
file: ansible.builtin.file:
path: /etc/init.d/log2mail path: /etc/init.d/log2mail
state: absent state: absent
- name: Enable and start log2mail service - name: Enable and start log2mail service
systemd: ansible.builtin.systemd:
name: log2mail name: log2mail
daemon-reload: yes daemon-reload: yes
state: started state: started
enabled: yes enabled: yes
- name: log2mail config is present - name: log2mail config is present
blockinfile: ansible.builtin.blockinfile:
dest: /etc/log2mail/config/default dest: /etc/log2mail/config/default
owner: log2mail owner: log2mail
group: adm group: adm

19
evolinux-base/tasks/logs.yml
View file

@ -3,7 +3,7 @@
# TODO: voir comment faire des backups initiaux des fichiers # TODO: voir comment faire des backups initiaux des fichiers
- name: Copy rsyslog.conf - name: Copy rsyslog.conf
copy: ansible.builtin.copy:
src: logs/rsyslog.conf src: logs/rsyslog.conf
dest: /etc/rsyslog.conf dest: /etc/rsyslog.conf
mode: "0644" mode: "0644"
@ -11,7 +11,8 @@
when: evolinux_logs_rsyslog_conf | bool when: evolinux_logs_rsyslog_conf | bool
- name: Disable logrotate default conf - name: Disable logrotate default conf
command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled ansible.builtin.command:
cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
args: args:
removes: /etc/logrotate.d/rsyslog removes: /etc/logrotate.d/rsyslog
creates: /etc/logrotate.d/rsyslog.disabled creates: /etc/logrotate.d/rsyslog.disabled
@ -19,33 +20,33 @@
when: evolinux_logs_disable_logrotate_rsyslog | bool when: evolinux_logs_disable_logrotate_rsyslog | bool
- name: Copy many logrotate files - name: Copy many logrotate files
copy: ansible.builtin.copy:
src: logs/logrotate.d/ src: logs/logrotate.d/
dest: /etc/logrotate.d/ dest: /etc/logrotate.d/
when: evolinux_logs_logrotate_confs | bool when: evolinux_logs_logrotate_confs | bool
- name: Copy rsyslog logrotate file - name: Copy rsyslog logrotate file
template: ansible.builtin.template:
src: logs/zsyslog.j2 src: logs/zsyslog.j2
dest: /etc/logrotate.d/zsyslog dest: /etc/logrotate.d/zsyslog
when: evolinux_logs_logrotate_confs | bool when: evolinux_logs_logrotate_confs | bool
- name: Configure logrotate.conf default rotate value - name: Configure logrotate.conf default rotate value
replace: ansible.builtin.replace:
dest: /etc/logrotate.conf dest: /etc/logrotate.conf
regexp: "rotate [0-9]+" regexp: "rotate [0-9]+"
replace: "rotate 12" replace: "rotate 12"
when: evolinux_logs_default_rotate | bool when: evolinux_logs_default_rotate | bool
- name: Enable logrotate.conf dateext option - name: Enable logrotate.conf dateext option
lineinfile: ansible.builtin.lineinfile:
dest: /etc/logrotate.conf dest: /etc/logrotate.conf
line: "dateext" line: "dateext"
regexp: "^#?\\s*dateext" regexp: "^#?\\s*dateext"
when: evolinux_logs_default_dateext | bool when: evolinux_logs_default_dateext | bool
- name: Enable logrotate.conf dateformat option - name: Enable logrotate.conf dateformat option
lineinfile: ansible.builtin.lineinfile:
dest: /etc/logrotate.conf dest: /etc/logrotate.conf
line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}" line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}"
regexp: "^#?\\s*dateformat.*" regexp: "^#?\\s*dateformat.*"
@ -53,11 +54,11 @@
when: evolinux_logs_default_dateext | bool when: evolinux_logs_default_dateext | bool
- name: Disable logrotate.conf dateyesterday option - name: Disable logrotate.conf dateyesterday option
lineinfile: ansible.builtin.lineinfile:
dest: /etc/logrotate.conf dest: /etc/logrotate.conf
line: "# dateyesterday" line: "# dateyesterday"
regexp: "^\\s*dateyesterday" regexp: "^\\s*dateyesterday"
insertafter: 'dateext' insertafter: 'dateext'
when: evolinux_logs_default_dateext | bool when: evolinux_logs_default_dateext | bool
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

38
evolinux-base/tasks/main.yml
View file

@ -14,7 +14,7 @@
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}" apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
apt_upgrade: "{{ evolinux_apt_upgrade }}" apt_upgrade: "{{ evolinux_apt_upgrade }}"
apt_basics_components: "{{ 'main contrib non-free' if ansible_virtualization_role == 'host' else 'main' }}" apt_basics_components: "{{ ansible_virtualization_role == 'host' | ternary('main contrib non-free', 'main') }}"
when: evolinux_apt_include | bool when: evolinux_apt_include | bool
- name: /etc versioning with Git - name: /etc versioning with Git
@ -23,27 +23,27 @@
when: evolinux_etcgit_include | bool when: evolinux_etcgit_include | bool
- name: /etc/evolinux base - name: /etc/evolinux base
include: etc-evolinux.yml import_tasks: etc-evolinux.yml
when: evolinux_etcevolinux_include | bool when: evolinux_etcevolinux_include | bool
- name: Hostname - name: Hostname
include: hostname.yml import_tasks: hostname.yml
when: evolinux_hostname_include | bool when: evolinux_hostname_include | bool
- name: Kernel tuning - name: Kernel tuning
include: kernel.yml import_tasks: kernel.yml
when: evolinux_kernel_include | bool when: evolinux_kernel_include | bool
- name: Fstab configuration - name: Fstab configuration
include: fstab.yml import_tasks: fstab.yml
when: evolinux_fstab_include | bool when: evolinux_fstab_include | bool
- name: Packages - name: Packages
include: packages.yml import_tasks: packages.yml
when: evolinux_packages_include | bool when: evolinux_packages_include | bool
- name: System settings - name: System settings
include: system.yml import_tasks: system.yml
when: evolinux_system_include | bool when: evolinux_system_include | bool
- name: Minifirewall - name: Minifirewall
@ -67,41 +67,43 @@
# when: evolinux_users_include # when: evolinux_users_include
- name: Root user configuration - name: Root user configuration
include: root.yml import_tasks: root.yml
when: evolinux_root_include | bool when: evolinux_root_include | bool
- name: Postfix - name: Postfix
include: postfix.yml import_tasks: postfix.yml
when: evolinux_postfix_include | bool when: evolinux_postfix_include | bool
- name: Logs management - name: Logs management
include: logs.yml import_tasks: logs.yml
when: evolinux_logs_include | bool when: evolinux_logs_include | bool
- name: Default index page - name: Default index page
include: default_www.yml import_tasks: default_www.yml
when: evolinux_default_www_include | bool when: evolinux_default_www_include | bool
- name: Hardware drivers and tools - name: Hardware drivers and tools
include: hardware.yml import_tasks: hardware.yml
when: evolinux_hardware_include | bool when:
- evolinux_hardware_include | bool
- ansible_virtualization_role == "host"
- name: Customize for Online.net - name: Customize for Online.net
include: provider_online.yml import_tasks: provider_online.yml
when: evolinux_provider_online_include | bool when: evolinux_provider_online_include | bool
- name: Customize for Orange FCE - name: Customize for Orange FCE
include: provider_orange_fce.yml import_tasks: provider_orange_fce.yml
when: evolinux_provider_orange_fce_include | bool when: evolinux_provider_orange_fce_include | bool
- name: Override Log2mail service - name: Override Log2mail service
include: log2mail.yml import_tasks: log2mail.yml
when: evolinux_log2mail_include | bool when: evolinux_log2mail_include | bool
- include: motd.yml - import_tasks: motd.yml
when: evolinux_motd_include | bool when: evolinux_motd_include | bool
- include: utils.yml - import_tasks: utils.yml
when: evolinux_utils_include | bool when: evolinux_utils_include | bool
- name: Munin - name: Munin

2
evolinux-base/tasks/motd.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: Deploy custom motd - name: Deploy custom motd
template: ansible.builtin.template:
src: "{{ item }}" src: "{{ item }}"
dest: /etc/motd dest: /etc/motd
force: True force: True

30
evolinux-base/tasks/packages.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: Install/Update system tools - name: Install/Update system tools
apt: ansible.builtin.apt:
name: name:
- locales - locales
- sudo - sudo
@ -20,7 +20,7 @@
when: evolinux_packages_system | bool when: evolinux_packages_system | bool
- name: Install/Update diagnostic tools - name: Install/Update diagnostic tools
apt: ansible.builtin.apt:
name: name:
- strace - strace
- htop - htop
@ -39,7 +39,7 @@
when: evolinux_packages_diagnostic | bool when: evolinux_packages_diagnostic | bool
- name: Install/Update hardware tools - name: Install/Update hardware tools
apt: ansible.builtin.apt:
name: name:
- hdparm - hdparm
- smartmontools - smartmontools
@ -47,7 +47,7 @@
when: ansible_virtualization_role == "host" when: ansible_virtualization_role == "host"
- name: Install/Update common tools - name: Install/Update common tools
apt: ansible.builtin.apt:
name: name:
- vim - vim
- screen - screen
@ -62,21 +62,21 @@
when: evolinux_packages_common | bool when: evolinux_packages_common | bool
- name: Be sure that openntpd package is absent/purged - name: Be sure that openntpd package is absent/purged
apt: ansible.builtin.apt:
name: openntpd name: openntpd
state: absent state: absent
purge: True purge: True
when: evolinux_packages_purge_openntpd | bool when: evolinux_packages_purge_openntpd | bool
- name: the chrony package is absent - name: the chrony package is absent
apt: ansible.builtin.apt:
name: chrony name: chrony
purge: True purge: True
state: absent state: absent
when: evolinux_packages_purge_chrony | bool when: evolinux_packages_purge_chrony | bool
- name: Be sure locate/mlocate is absent/purged - name: Be sure locate/mlocate is absent/purged
apt: ansible.builtin.apt:
name: name:
- locate - locate
- mlocate - mlocate
@ -85,20 +85,20 @@
when: evolinux_packages_purge_locate | bool when: evolinux_packages_purge_locate | bool
- name: Install/Update serveur-base meta-package - name: Install/Update serveur-base meta-package
apt: ansible.builtin.apt:
name: serveur-base name: serveur-base
allow_unauthenticated: yes allow_unauthenticated: yes
when: evolinux_packages_serveur_base | bool when: evolinux_packages_serveur_base | bool
- name: Install/Update packages for Stretch and later - name: Install/Update packages for Stretch and later
apt: ansible.builtin.apt:
name: net-tools name: net-tools
when: when:
- evolinux_packages_stretch | bool - evolinux_packages_stretch | bool
- ansible_distribution_major_version is version('9', '>=') - ansible_distribution_major_version is version('9', '>=')
- name: Install/Update packages for Buster and later - name: Install/Update packages for Buster and later
apt: ansible.builtin.apt:
name: name:
- spectre-meltdown-checker - spectre-meltdown-checker
- binutils - binutils
@ -107,14 +107,14 @@
- ansible_distribution_major_version is version('10', '>=') - ansible_distribution_major_version is version('10', '>=')
- name: Customize logcheck recipient - name: Customize logcheck recipient
lineinfile: ansible.builtin.lineinfile:
dest: /etc/logcheck/logcheck.conf dest: /etc/logcheck/logcheck.conf
regexp: '^SENDMAILTO=".*"$' regexp: '^SENDMAILTO=".*"$'
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"' line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
when: evolinux_packages_logcheck_recipient | bool when: evolinux_packages_logcheck_recipient | bool
- name: Deleting rpcbind and nfs-common - name: Deleting rpcbind and nfs-common
apt: ansible.builtin.apt:
name: name:
- rpcbind - rpcbind
- nfs-common - nfs-common
@ -125,7 +125,7 @@
# TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes) # TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes)
- name: Configure Listchanges on Jessie - name: Configure Listchanges on Jessie
lineinfile: ansible.builtin.lineinfile:
dest: /etc/apt/listchanges.conf dest: /etc/apt/listchanges.conf
regexp: '^{{ item.option }}\s*=' regexp: '^{{ item.option }}\s*='
line: "{{ item.option }}={{ item.value }}" line: "{{ item.option }}={{ item.value }}"
@ -138,7 +138,7 @@
- ansible_distribution_release == "jessie" - ansible_distribution_release == "jessie"
- name: apt-listchanges is absent on Stretch and later - name: apt-listchanges is absent on Stretch and later
apt: ansible.builtin.apt:
name: apt-listchanges name: apt-listchanges
state: absent state: absent
when: when:
@ -146,4 +146,4 @@
- ansible_distribution_major_version is version('9', '>=') - ansible_distribution_major_version is version('9', '>=')
- evolinux_packages_delete_aptlistchanges - evolinux_packages_delete_aptlistchanges
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

32
evolinux-base/tasks/postfix.yml
View file

@ -1,18 +1,18 @@
--- ---
- name: Postfix packages are installed - name: Postfix packages are installed
apt: ansible.builtin.apt:
name: name:
- postfix - postfix
- mailgraph - mailgraph
state: present state: present
when: evolinux_postfix_packages | bool
tags: tags:
- packages - packages
- postfix - postfix
when: evolinux_postfix_packages | bool
- name: configure postfix myhostname - name: configure postfix myhostname
lineinfile: ansible.builtin.lineinfile:
dest: /etc/postfix/main.cf dest: /etc/postfix/main.cf
state: present state: present
line: "myhostname = {{ evolinux_fqdn }}" line: "myhostname = {{ evolinux_fqdn }}"
@ -22,7 +22,7 @@
- postfix - postfix
- name: configure postfix mynetworks - name: configure postfix mynetworks
lineinfile: ansible.builtin.lineinfile:
dest: /etc/postfix/main.cf dest: /etc/postfix/main.cf
state: present state: present
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost" line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
@ -32,8 +32,8 @@
- postfix - postfix
- name: fetch users list - name: fetch users list
shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" ansible.builtin.shell:
args: cmd: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root"
executable: /bin/bash executable: /bin/bash
check_mode: no check_mode: no
register: non_root_users_list register: non_root_users_list
@ -42,18 +42,18 @@
- postfix - postfix
- name: each user is aliased to root - name: each user is aliased to root
lineinfile: ansible.builtin.lineinfile:
dest: /etc/aliases dest: /etc/aliases
regexp: "^{{ item }}:.*" regexp: "^{{ item }}:.*"
line: "{{ item }}: root" line: "{{ item }}: root"
loop: "{{ non_root_users_list.stdout_lines }}" loop: "{{ non_root_users_list.stdout_lines }}"
notify: newaliases notify: newaliases
when: evolinux_postfix_users_alias_root | bool
tags: tags:
- postfix - postfix
when: evolinux_postfix_users_alias_root | bool
- name: additional users address aliased to root - name: additional users address aliased to root
lineinfile: ansible.builtin.lineinfile:
dest: /etc/aliases dest: /etc/aliases
regexp: "^{{ item }}:.*" regexp: "^{{ item }}:.*"
line: "{{ item }}: root" line: "{{ item }}: root"
@ -65,24 +65,24 @@
- error - error
- bounce - bounce
notify: newaliases notify: newaliases
when: evolinux_postfix_mailer_alias_root | bool
tags: tags:
- postfix - postfix
when: evolinux_postfix_mailer_alias_root | bool
- name: root alias is configured - name: root alias is configured
lineinfile: ansible.builtin.lineinfile:
dest: /etc/aliases dest: /etc/aliases
regexp: "^root:" regexp: "^root:"
line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}"
notify: newaliases notify: newaliases
when: evolinux_postfix_root_alias | bool
tags: tags:
- postfix - postfix
when: evolinux_postfix_root_alias | bool
- meta: flush_handlers - ansible.builtin.meta: flush_handlers
- name: exim4 is absent - name: exim4 is absent
apt: ansible.builtin.apt:
name: name:
- exim4 - exim4
- exim4-base - exim4-base
@ -90,9 +90,9 @@
- exim4-daemon-light - exim4-daemon-light
purge: yes purge: yes
state: absent state: absent
when: evolinux_postfix_purge_exim | bool
tags: tags:
- packages - packages
- postfix - postfix
when: evolinux_postfix_purge_exim | bool
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

6
evolinux-base/tasks/provider_online.yml
View file

@ -1,8 +1,8 @@
- debug: - ansible.builtin.debug:
msg: "Online DNS servers fails sometimes! Please change them in /etc/resolv.conf." msg: "Online DNS servers fails sometimes! Please change them in /etc/resolv.conf."
- name: custom NTP server for Online servers - name: custom NTP server for Online servers
set_fact: ansible.builtin.set_fact:
nagios_nrpe_default_ntp_server: "ntp.online.net" nagios_nrpe_default_ntp_server: "ntp.online.net"
# - meta: flush_handlers # - ansible.builtin.meta: flush_handlers

6
evolinux-base/tasks/provider_orange_fce.yml
View file

@ -1,5 +1,5 @@
- name: Customize kernel for Orange FCE - name: Customize kernel for Orange FCE
sysctl: ansible.posix.sysctl:
name: "{{ item.name }}" name: "{{ item.name }}"
value: "{{ item.value }}" value: "{{ item.value }}"
sysctl_file: /etc/sysctl.d/evolinux_fce.conf sysctl_file: /etc/sysctl.d/evolinux_fce.conf
@ -10,7 +10,7 @@
- { name: net.ipv4.tcp_keepalive_intvl, value: 60 } - { name: net.ipv4.tcp_keepalive_intvl, value: 60 }
- { name: net.ipv6.conf.all.disable_ipv6, value: 1 } - { name: net.ipv6.conf.all.disable_ipv6, value: 1 }
- debug: - ansible.builtin.debug:
msg: "Orange DNS servers suck! Please change them in /etc/resolv.conf." msg: "Orange DNS servers suck! Please change them in /etc/resolv.conf."
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

5
evolinux-base/tasks/provider_vmware.yml
View file

@ -1,6 +1,7 @@
--- ---
- name: Check if the virtual machine on VMWare Host - name: Check if the virtual machine on VMWare Host
shell: "dmidecode | grep -q 'VMware'" ansible.builtin.shell:
cmd: "dmidecode | grep -q 'VMware'"
check_mode: no check_mode: no
register: vmware_provider register: vmware_provider
failed_when: False failed_when: False
@ -9,7 +10,7 @@
- packages - packages
- name: OpenVM Tools are installed for vmware - name: OpenVM Tools are installed for vmware
apt: ansible.builtin.apt:
state: present state: present
name: open-vm-tools name: open-vm-tools
tags: tags:

34
evolinux-base/tasks/root.yml
View file

@ -1,14 +1,14 @@
--- ---
- name: chmod 700 /root - name: chmod 700 /root
file: ansible.builtin.file:
path: /root path: /root
state: directory state: directory
mode: "0700" mode: "0700"
when: evolinux_root_chmod | bool when: evolinux_root_chmod | bool
- name: "Customize root's bashrc..." - name: "Customize root's bashrc..."
lineinfile: ansible.builtin.lineinfile:
dest: /root/.bashrc dest: /root/.bashrc
line: "{{ item }}" line: "{{ item }}"
create: yes create: yes
@ -24,34 +24,35 @@
## .bash_history should be append-only ## .bash_history should be append-only
- name: Create .bash_history if missing - name: Create .bash_history if missing
copy: ansible.builtin.copy:
content: "" content: ""
dest: "/root/.bash_history" dest: "/root/.bash_history"
force: no force: no
when: evolinux_root_bash_history | bool when: evolinux_root_bash_history | bool
- name: Set umask in /root/.profile - name: Set umask in /root/.profile
lineinfile: ansible.builtin.lineinfile:
dest: "/root/.profile" dest: "/root/.profile"
line: "umask 0077" line: "umask 0077"
regexp: "umask [0-9]+" regexp: "umask [0-9]+"
when: evolinux_root_umask | bool when: evolinux_root_umask | bool
- name: "/usr/share/scripts is present in root's PATH" - name: "/usr/share/scripts is present in root's PATH"
lineinfile: ansible.builtin.lineinfile:
dest: "/root/.profile" dest: "/root/.profile"
line: "PATH=\"${PATH}:/usr/share/scripts\"" line: "PATH=\"${PATH}:/usr/share/scripts\""
when: ansible_distribution_major_version is version('10', '>=') when: ansible_distribution_major_version is version('10', '>=')
- name: Custom git config for root - name: Custom git config for root
copy: ansible.builtin.copy:
src: root/gitconfig src: root/gitconfig
dest: "/root/.gitconfig" dest: "/root/.gitconfig"
force: no force: no
when: evolinux_root_gitconfig | bool when: evolinux_root_gitconfig | bool
- name: Is .bash_history append-only - name: Is .bash_history append-only
shell: lsattr /root/.bash_history | grep -E "^.*a.* " ansible.builtin.shell:
cmd: lsattr /root/.bash_history | grep -E "^.*a.* "
check_mode: no check_mode: no
register: bash_history_append_only register: bash_history_append_only
failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr" failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
@ -59,14 +60,15 @@
changed_when: False changed_when: False
- name: Set .bash_history append-only - name: Set .bash_history append-only
command: chattr +a /root/.bash_history ansible.builtin.command:
cmd: chattr +a /root/.bash_history
when: when:
- evolinux_root_bash_history_appendonly | bool - evolinux_root_bash_history_appendonly | bool
- bash_history_append_only.rc != 0 - bash_history_append_only.rc != 0
- "'Inappropriate ioctl' not in bash_history_append_only.stderr" - "'Inappropriate ioctl' not in bash_history_append_only.stderr"
- name: Setting vim as selected-editor - name: Setting vim as selected-editor
lineinfile: ansible.builtin.lineinfile:
dest: /root/.selected_editor dest: /root/.selected_editor
regexp: '^SELECTED_EDITOR=' regexp: '^SELECTED_EDITOR='
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\"" line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
@ -74,7 +76,7 @@
when: evolinux_root_vim_default | bool when: evolinux_root_vim_default | bool
- name: Setting vim root configuration - name: Setting vim root configuration
lineinfile: ansible.builtin.lineinfile:
dest: /root/.vimrc dest: /root/.vimrc
line: "{{ item }}" line: "{{ item }}"
create: yes create: yes
@ -89,7 +91,7 @@
when: evolinux_root_vim_conf | bool when: evolinux_root_vim_conf | bool
- name: disable SSH access for root - name: disable SSH access for root
replace: ansible.builtin.replace:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)' regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no" replace: "PermitRootLogin no"
@ -99,7 +101,7 @@
### Disabled : it seems useless and too dangerous for now ### Disabled : it seems useless and too dangerous for now
# - name: remove root from AllowUsers directive # - name: remove root from AllowUsers directive
# replace: # ansible.builtin.replace:
# dest: /etc/ssh/sshd_config # dest: /etc/ssh/sshd_config
# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' # regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
# replace: '\1\4' # replace: '\1\4'
@ -107,4 +109,4 @@
# notify: reload sshd # notify: reload sshd
# when: evolinux_root_disable_ssh # when: evolinux_root_disable_ssh
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

50
evolinux-base/tasks/system.yml
View file

@ -1,14 +1,14 @@
--- ---
- name: /tmp must be world-writable - name: /tmp must be world-writable
file: ansible.builtin.file:
path: /tmp path: /tmp
state: directory state: directory
mode: "u=rwx,g=rwx,o=rwxt" mode: "u=rwx,g=rwx,o=rwxt"
when: evolinux_system_chmod_tmp | bool when: evolinux_system_chmod_tmp | bool
- name: Setting default locales - name: Setting default locales
lineinfile: ansible.builtin.lineinfile:
dest: /etc/locale.gen dest: /etc/locale.gen
line: "{{ item }}" line: "{{ item }}"
create: yes create: yes
@ -21,11 +21,12 @@
when: evolinux_system_locales | bool when: evolinux_system_locales | bool
- name: Reconfigure locales - name: Reconfigure locales
command: /usr/sbin/locale-gen ansible.builtin.command:
cmd: /usr/sbin/locale-gen
when: evolinux_system_locales and default_locales is changed when: evolinux_system_locales and default_locales is changed
- name: Setting default timezone - name: Setting default timezone
timezone: community.general.timezone:
name: "{{ evolinux_system_timezone | mandatory }}" name: "{{ evolinux_system_timezone | mandatory }}"
notify: restart cron notify: restart cron
when: evolinux_system_set_timezone | bool when: evolinux_system_set_timezone | bool
@ -37,20 +38,20 @@
name: evolix/remount-usr name: evolix/remount-usr
- name: Ensure automagic vim conf is disabled - name: Ensure automagic vim conf is disabled
lineinfile: ansible.builtin.lineinfile:
dest: /etc/vim/vimrc dest: /etc/vim/vimrc
regexp: 'let g:skip_defaults_vim =' regexp: 'let g:skip_defaults_vim ='
line: 'let g:skip_defaults_vim = 1' line: 'let g:skip_defaults_vim = 1'
when: evolinux_system_vim_skip_defaults | bool when: evolinux_system_vim_skip_defaults | bool
- name: Setting vim as default editor - name: Setting vim as default editor
alternatives: community.general.alternatives:
name: editor name: editor
path: /usr/bin/vim.basic path: /usr/bin/vim.basic
when: evolinux_system_vim_default_editor | bool when: evolinux_system_vim_default_editor | bool
- name: Add "umask 027" to /etc/profile.d/evolinux.sh - name: Add "umask 027" to /etc/profile.d/evolinux.sh
lineinfile: ansible.builtin.lineinfile:
dest: /etc/profile.d/evolinux.sh dest: /etc/profile.d/evolinux.sh
line: "umask 027" line: "umask 027"
create: yes create: yes
@ -58,7 +59,7 @@
when: evolinux_system_profile | bool when: evolinux_system_profile | bool
- name: Set /etc/adduser.conf DIR_MODE to 0700 - name: Set /etc/adduser.conf DIR_MODE to 0700
replace: ansible.builtin.replace:
dest: /etc/adduser.conf dest: /etc/adduser.conf
regexp: "^DIR_MODE=0755$" regexp: "^DIR_MODE=0755$"
replace: "DIR_MODE=0700" replace: "DIR_MODE=0700"
@ -67,7 +68,7 @@
# TODO: trouver comment ne pas faire ça sur Xen Dom-U # TODO: trouver comment ne pas faire ça sur Xen Dom-U
- name: Deactivating login on all tty except tty2 - name: Deactivating login on all tty except tty2
lineinfile: ansible.builtin.lineinfile:
dest: /etc/securetty dest: /etc/securetty
line: "tty2" line: "tty2"
create: yes create: yes
@ -75,7 +76,7 @@
when: evolinux_system_restrict_securetty | bool when: evolinux_system_restrict_securetty | bool
- name: Setting TMOUT to disconnect inactive users - name: Setting TMOUT to disconnect inactive users
lineinfile: ansible.builtin.lineinfile:
dest: /etc/profile.d/evolinux.sh dest: /etc/profile.d/evolinux.sh
line: "export TMOUT={{ evolinux_system_timeout }}" line: "export TMOUT={{ evolinux_system_timeout }}"
regexp: "^export TMOUT=" regexp: "^export TMOUT="
@ -86,8 +87,8 @@
#- name: Customizing /etc/fstab #- name: Customizing /etc/fstab
- name: Check if cron is installed - name: Check if cron is installed
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" ansible.builtin.shell:
args: cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
executable: /bin/bash executable: /bin/bash
check_mode: no check_mode: no
failed_when: False failed_when: False
@ -95,7 +96,7 @@
register: is_cron_installed register: is_cron_installed
- name: Set verbose logging for cron deamon - name: Set verbose logging for cron deamon
lineinfile: ansible.builtin.lineinfile:
dest: /etc/default/cron dest: /etc/default/cron
line: "EXTRA_OPTS='-L 15'" line: "EXTRA_OPTS='-L 15'"
create: yes create: yes
@ -105,7 +106,7 @@
- evolinux_system_cron_verboselog | bool - evolinux_system_cron_verboselog | bool
- name: Modify default umask for cron deamon - name: Modify default umask for cron deamon
lineinfile: ansible.builtin.lineinfile:
dest: /etc/default/cron dest: /etc/default/cron
line: "umask 022" line: "umask 022"
create: yes create: yes
@ -115,7 +116,7 @@
- evolinux_system_cron_umask | bool - evolinux_system_cron_umask | bool
- name: Randomize periodic crontabs - name: Randomize periodic crontabs
replace: ansible.builtin.replace:
dest: /etc/crontab dest: /etc/crontab
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}" replace: "{{ item.replace }}"
@ -134,7 +135,7 @@
## alert5 ## alert5
- name: Install alert5 init script (jessie/stretch) - name: Install alert5 init script (jessie/stretch)
template: ansible.builtin.template:
src: system/alert5.sysvinit.j2 src: system/alert5.sysvinit.j2
dest: /etc/init.d/alert5 dest: /etc/init.d/alert5
force: no force: no
@ -144,7 +145,7 @@
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
- name: Enable alert5 init script (jessie/stretch) - name: Enable alert5 init script (jessie/stretch)
service: ansible.builtin.service:
name: alert5 name: alert5
enabled: yes enabled: yes
when: when:
@ -155,7 +156,7 @@
- name: Install alert5 init script (buster and later) - name: Install alert5 init script (buster and later)
template: ansible.builtin.template:
src: system/alert5.sh.j2 src: system/alert5.sh.j2
dest: /usr/share/scripts/alert5.sh dest: /usr/share/scripts/alert5.sh
force: no force: no
@ -165,7 +166,7 @@
- ansible_distribution_major_version is version('10', '>=') - ansible_distribution_major_version is version('10', '>=')
- name: Install alert5 service (buster and later) - name: Install alert5 service (buster and later)
copy: ansible.builtin.copy:
src: alert5.service src: alert5.service
dest: /etc/systemd/system/alert5.service dest: /etc/systemd/system/alert5.service
force: yes force: yes
@ -175,7 +176,7 @@
- ansible_distribution_major_version is version('10', '>=') - ansible_distribution_major_version is version('10', '>=')
- name: Enable alert5 init script (buster and later) - name: Enable alert5 init script (buster and later)
systemd: ansible.builtin.systemd:
name: alert5 name: alert5
daemon_reload: yes daemon_reload: yes
enabled: yes enabled: yes
@ -188,14 +189,15 @@
## network interfaces ## network interfaces
- name: "Is there an \"allow-hotplug\" interface ?" - name: "Is there an \"allow-hotplug\" interface ?"
command: grep allow-hotplug /etc/network/interfaces ansible.builtin.command:
cmd: grep allow-hotplug /etc/network/interfaces
failed_when: False failed_when: False
changed_when: False changed_when: False
check_mode: no check_mode: no
register: grep_hotplug_eni register: grep_hotplug_eni
- name: "Network interfaces must be \"auto\" and not \"allow-hotplug\"" - name: "Network interfaces must be \"auto\" and not \"allow-hotplug\""
replace: ansible.builtin.replace:
dest: /etc/network/interfaces dest: /etc/network/interfaces
regexp: "allow-hotplug" regexp: "allow-hotplug"
replace: "auto" replace: "auto"
@ -203,6 +205,4 @@
- evolinux_system_eni_auto | bool - evolinux_system_eni_auto | bool
- grep_hotplug_eni.rc == 0 - grep_hotplug_eni.rc == 0
## /sbin/deny - ansible.builtin.meta: flush_handlers
- meta: flush_handlers

19
evolinux-base/tasks/utils.yml
View file

@ -7,7 +7,7 @@
file: dump-server-state.yml file: dump-server-state.yml
- name: "/sbin/deny script is present" - name: "/sbin/deny script is present"
copy: ansible.builtin.copy:
src: deny.sh src: deny.sh
dest: /sbin/deny dest: /sbin/deny
mode: "0700" mode: "0700"
@ -16,7 +16,7 @@
force: no force: no
- name: update-evobackup-canary script is present - name: update-evobackup-canary script is present
copy: ansible.builtin.copy:
src: update-evobackup-canary src: update-evobackup-canary
dest: /usr/local/bin/update-evobackup-canary dest: /usr/local/bin/update-evobackup-canary
force: True force: True
@ -26,26 +26,17 @@
# TODO: delete when this has been run once on all our servers # TODO: delete when this has been run once on all our servers
- name: update-evobackup-canary is removed from sbin - name: update-evobackup-canary is removed from sbin
file: ansible.builtin.file:
path: /usr/local/sbin/update-evobackup-canary path: /usr/local/sbin/update-evobackup-canary
state: absent state: absent
# - name: dir-check script is present
# copy:
# src: "dir-check.sh"
# dest: /usr/local/bin/dir-check
# force: True
# owner: root
# group: root
# mode: "0755"
- name: Deploy htop configuration - name: Deploy htop configuration
copy: ansible.builtin.copy:
src: htoprc src: htoprc
dest: /etc/htoprc dest: /etc/htoprc
mode: "0644" mode: "0644"
- name: Deploy top configuration file - name: Deploy top configuration file
file: ansible.builtin.file:
path: /etc/topdefaultrc path: /etc/topdefaultrc
state: absent state: absent