evolinux-base: syntax
This commit is contained in:
parent
6f61a0744c
commit
8f25dfe041
|
@ -1,13 +1,13 @@
|
||||||
---
|
---
|
||||||
- name: /var/www is present
|
- name: /var/www is present
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /var/www
|
path: /var/www
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
when: evolinux_default_www_files | bool
|
when: evolinux_default_www_files | bool
|
||||||
|
|
||||||
- name: images are copied
|
- name: images are copied
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: default_www/img
|
src: default_www/img
|
||||||
dest: /var/www/
|
dest: /var/www/
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
@ -16,7 +16,7 @@
|
||||||
when: evolinux_default_www_files | bool
|
when: evolinux_default_www_files | bool
|
||||||
|
|
||||||
- name: index is copied
|
- name: index is copied
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: default_www/index.html.j2
|
src: default_www/index.html.j2
|
||||||
dest: /var/www/index.html
|
dest: /var/www/index.html
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
@ -28,21 +28,23 @@
|
||||||
- name: Default certificate is present
|
- name: Default certificate is present
|
||||||
block:
|
block:
|
||||||
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||||
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
|
ansible.builtin.command:
|
||||||
|
cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
|
||||||
args:
|
args:
|
||||||
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
|
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
|
||||||
|
|
||||||
- name: Adjust rights on private key
|
- name: Adjust rights on private key
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /etc/ssl/private/{{ ansible_fqdn }}.key
|
path: /etc/ssl/private/{{ ansible_fqdn }}.key
|
||||||
owner: root
|
owner: root
|
||||||
group: ssl-cert
|
group: ssl-cert
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
|
|
||||||
- name: Create certificate for default site
|
- name: Create certificate for default site
|
||||||
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
ansible.builtin.command:
|
||||||
|
cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||||
args:
|
args:
|
||||||
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
|
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
|
||||||
when: evolinux_default_www_ssl_cert | bool
|
when: evolinux_default_www_ssl_cert | bool
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
- name: dump-server-state script is present
|
- name: dump-server-state script is present
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "dump-server-state.sh"
|
src: "dump-server-state.sh"
|
||||||
dest: /usr/local/sbin/dump-server-state
|
dest: /usr/local/sbin/dump-server-state
|
||||||
force: True
|
force: True
|
||||||
|
@ -8,7 +8,7 @@
|
||||||
mode: "0750"
|
mode: "0750"
|
||||||
|
|
||||||
- name: symlink backup-server-state to dump-server-state
|
- name: symlink backup-server-state to dump-server-state
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: /usr/local/sbin/dump-server-state
|
src: /usr/local/sbin/dump-server-state
|
||||||
dest: /usr/local/sbin/backup-server-state
|
dest: /usr/local/sbin/backup-server-state
|
||||||
state: link
|
state: link
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
### This is taken care of by the evolinux-todo role
|
### This is taken care of by the evolinux-todo role
|
||||||
# - name: /etc/evolinux exists
|
# - name: /etc/evolinux exists
|
||||||
# file:
|
# ansible.builtin.file:
|
||||||
# dest: /etc/evolinux
|
# dest: /etc/evolinux
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
|
|
|
@ -4,69 +4,70 @@
|
||||||
# TODO: try to use the custom mount_uuid module for a different approach
|
# TODO: try to use the custom mount_uuid module for a different approach
|
||||||
|
|
||||||
- name: Fetch fstab content
|
- name: Fetch fstab content
|
||||||
command: "grep -v '^#' /etc/fstab"
|
ansible.builtin.command:
|
||||||
|
cmd: "grep -v '^#' /etc/fstab"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: fstab_content
|
register: fstab_content
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
|
||||||
- name: /home partition is customized
|
- name: /home partition is customized
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/fstab
|
dest: /etc/fstab
|
||||||
regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)'
|
regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)'
|
||||||
replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3'
|
replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3'
|
||||||
notify: remount /home
|
notify: remount /home
|
||||||
when:
|
when:
|
||||||
- fstab_content.stdout | regex_search('\s/home\s')
|
- fstab_content.stdout | regex_search('\s/home\s')
|
||||||
- evolinux_fstab_home | bool
|
- evolinux_fstab_home | bool
|
||||||
|
|
||||||
- name: /tmp partition is customized
|
- name: /tmp partition is customized
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/fstab
|
dest: /etc/fstab
|
||||||
regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)'
|
regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)'
|
||||||
replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3'
|
replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3'
|
||||||
when:
|
when:
|
||||||
- fstab_content.stdout | regex_search('\s/tmp\s')
|
- fstab_content.stdout | regex_search('\s/tmp\s')
|
||||||
- evolinux_fstab_tmp | bool
|
- evolinux_fstab_tmp | bool
|
||||||
|
|
||||||
- name: /usr partition is customized
|
- name: /usr partition is customized
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/fstab
|
dest: /etc/fstab
|
||||||
regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)'
|
regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)'
|
||||||
replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3'
|
replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3'
|
||||||
when:
|
when:
|
||||||
- fstab_content.stdout | regex_search('\s/usr\s')
|
- fstab_content.stdout | regex_search('\s/usr\s')
|
||||||
- evolinux_fstab_usr | bool
|
- evolinux_fstab_usr | bool
|
||||||
|
|
||||||
- name: /var partition is customized
|
- name: /var partition is customized
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/fstab
|
dest: /etc/fstab
|
||||||
regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)'
|
regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)'
|
||||||
replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3'
|
replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3'
|
||||||
notify: remount /var
|
notify: remount /var
|
||||||
when:
|
when:
|
||||||
- fstab_content.stdout | regex_search('\s/var\s')
|
- fstab_content.stdout | regex_search('\s/var\s')
|
||||||
- evolinux_fstab_var | bool
|
- evolinux_fstab_var | bool
|
||||||
|
|
||||||
- name: /var/tmp is created
|
- name: /var/tmp is created
|
||||||
mount:
|
ansible.posix.mount:
|
||||||
src: tmpfs
|
src: tmpfs
|
||||||
name: /var/tmp
|
name: /var/tmp
|
||||||
fstype: tmpfs
|
fstype: tmpfs
|
||||||
opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}"
|
opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}"
|
||||||
state: mounted
|
state: mounted
|
||||||
when:
|
when:
|
||||||
- evolinux_fstab_var_tmp | bool
|
- evolinux_fstab_var_tmp | bool
|
||||||
|
|
||||||
- name: /dev/shm is created (Debian 10 and later)
|
- name: /dev/shm is created (Debian 10 and later)
|
||||||
mount:
|
ansible.posix.mount:
|
||||||
src: tmpfs
|
src: tmpfs
|
||||||
name: /dev/shm
|
name: /dev/shm
|
||||||
fstype: tmpfs
|
fstype: tmpfs
|
||||||
opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}"
|
opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}"
|
||||||
state: mounted
|
state: mounted
|
||||||
when:
|
when:
|
||||||
- evolinux_fstab_dev_shm | bool
|
- evolinux_fstab_dev_shm | bool
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -1,29 +1,29 @@
|
||||||
---
|
---
|
||||||
- name: dbus is installed
|
- name: dbus is installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: dbus
|
name: dbus
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: dbus is enabled and started
|
- name: dbus is enabled and started
|
||||||
service:
|
ansible.builtin.systemd:
|
||||||
name: dbus
|
name: dbus
|
||||||
state: started
|
state: started
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
- name: Set hostname "{{ evolinux_hostname }}"
|
- name: Set hostname "{{ evolinux_hostname }}"
|
||||||
hostname:
|
ansible.builtin.hostname:
|
||||||
name: "{{ evolinux_hostname }}"
|
name: "{{ evolinux_hostname }}"
|
||||||
when: evolinux_hostname_hosts | bool
|
when: evolinux_hostname_hosts | bool
|
||||||
|
|
||||||
- name: Set right localhost line in /etc/hosts
|
- name: Set right localhost line in /etc/hosts
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/hosts
|
dest: /etc/hosts
|
||||||
regexp: '^127.0.0.1(\s+)localhost.*$'
|
regexp: '^127.0.0.1(\s+)localhost.*$'
|
||||||
replace: '127.0.0.1\1localhost.localdomain localhost'
|
replace: '127.0.0.1\1localhost.localdomain localhost'
|
||||||
when: evolinux_hostname_hosts | bool
|
when: evolinux_hostname_hosts | bool
|
||||||
|
|
||||||
- name: Set ip+fqdn+hostname in /etc/hosts
|
- name: Set ip+fqdn+hostname in /etc/hosts
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/hosts
|
dest: /etc/hosts
|
||||||
regexp: '^{{ ansible_default_ipv4.address }}\s+'
|
regexp: '^{{ ansible_default_ipv4.address }}\s+'
|
||||||
line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}"
|
line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}"
|
||||||
|
@ -31,14 +31,14 @@
|
||||||
when: evolinux_hostname_hosts | bool
|
when: evolinux_hostname_hosts | bool
|
||||||
|
|
||||||
- name: 127.0.1.1 is removed
|
- name: 127.0.1.1 is removed
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/hosts
|
dest: /etc/hosts
|
||||||
regexp: '^127.0.1.1\s+'
|
regexp: '^127.0.1.1\s+'
|
||||||
state: absent
|
state: absent
|
||||||
when: evolinux_hostname_hosts | bool
|
when: evolinux_hostname_hosts | bool
|
||||||
|
|
||||||
- name: /etc/mailname is up-to-date
|
- name: /etc/mailname is up-to-date
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
dest: /etc/mailname
|
dest: /etc/mailname
|
||||||
content: "{{ evolinux_fqdn }}\n"
|
content: "{{ evolinux_fqdn }}\n"
|
||||||
force: yes
|
force: yes
|
||||||
|
@ -47,18 +47,18 @@
|
||||||
# Override facts
|
# Override facts
|
||||||
|
|
||||||
- name: Override ansible_hostname fact
|
- name: Override ansible_hostname fact
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
ansible_hostname: "{{ evolinux_hostname }}"
|
ansible_hostname: "{{ evolinux_hostname }}"
|
||||||
when: ansible_hostname != evolinux_hostname
|
when: ansible_hostname != evolinux_hostname
|
||||||
|
|
||||||
- name: Override ansible_domain fact
|
- name: Override ansible_domain fact
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
ansible_domain: "{{ evolinux_domain }}"
|
ansible_domain: "{{ evolinux_domain }}"
|
||||||
when: ansible_domain != evolinux_domain
|
when: ansible_domain != evolinux_domain
|
||||||
|
|
||||||
- name: Override ansible_fqdn fact
|
- name: Override ansible_fqdn fact
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
ansible_fqdn: "{{ evolinux_fqdn }}"
|
ansible_fqdn: "{{ evolinux_fqdn }}"
|
||||||
when: ansible_fqdn != evolinux_fqdn
|
when: ansible_fqdn != evolinux_fqdn
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "Use Cloud kernel on virtual servers"
|
- name: "Use Cloud kernel on virtual servers"
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: "linux-image-cloud-amd64"
|
name: "linux-image-cloud-amd64"
|
||||||
state: present
|
state: present
|
||||||
when:
|
when:
|
||||||
|
@ -10,7 +10,7 @@
|
||||||
- evolinux_kernel_cloud_auto | bool
|
- evolinux_kernel_cloud_auto | bool
|
||||||
|
|
||||||
- name: "Remove non-Cloud kernel on virtual servers"
|
- name: "Remove non-Cloud kernel on virtual servers"
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: "linux-image-amd64"
|
name: "linux-image-amd64"
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
|
@ -19,7 +19,7 @@
|
||||||
- evolinux_kernel_cloud_auto | bool
|
- evolinux_kernel_cloud_auto | bool
|
||||||
|
|
||||||
- name: Reboot after panic
|
- name: Reboot after panic
|
||||||
sysctl:
|
ansible.posix.sysctl:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
value: "{{ item.value }}"
|
value: "{{ item.value }}"
|
||||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||||
|
@ -31,7 +31,7 @@
|
||||||
when: evolinux_kernel_reboot_after_panic | bool
|
when: evolinux_kernel_reboot_after_panic | bool
|
||||||
|
|
||||||
- name: Don't reboot after panic
|
- name: Don't reboot after panic
|
||||||
sysctl:
|
ansible.posix.sysctl:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||||
state: absent
|
state: absent
|
||||||
|
@ -42,7 +42,7 @@
|
||||||
when: not evolinux_kernel_reboot_after_panic | bool
|
when: not evolinux_kernel_reboot_after_panic | bool
|
||||||
|
|
||||||
- name: Disable net.ipv4.tcp_timestamps
|
- name: Disable net.ipv4.tcp_timestamps
|
||||||
sysctl:
|
ansible.posix.sysctl:
|
||||||
name: net.ipv4.tcp_timestamps
|
name: net.ipv4.tcp_timestamps
|
||||||
value: '0'
|
value: '0'
|
||||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||||
|
@ -51,7 +51,7 @@
|
||||||
when: evolinux_kernel_disable_tcp_timestamps | bool
|
when: evolinux_kernel_disable_tcp_timestamps | bool
|
||||||
|
|
||||||
- name: Customize the swappiness
|
- name: Customize the swappiness
|
||||||
sysctl:
|
ansible.posix.sysctl:
|
||||||
name: vm.swappiness
|
name: vm.swappiness
|
||||||
value: "{{ evolinux_kernel_swappiness }}"
|
value: "{{ evolinux_kernel_swappiness }}"
|
||||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||||
|
@ -60,7 +60,7 @@
|
||||||
when: evolinux_kernel_customize_swappiness | bool
|
when: evolinux_kernel_customize_swappiness | bool
|
||||||
|
|
||||||
- name: Patch for TCP stack vulnerability CVE-2016-5696
|
- name: Patch for TCP stack vulnerability CVE-2016-5696
|
||||||
sysctl:
|
ansible.posix.sysctl:
|
||||||
name: net.ipv4.tcp_challenge_ack_limit
|
name: net.ipv4.tcp_challenge_ack_limit
|
||||||
value: "1073741823"
|
value: "1073741823"
|
||||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||||
|
@ -69,7 +69,7 @@
|
||||||
when: evolinux_kernel_cve20165696 | bool
|
when: evolinux_kernel_cve20165696 | bool
|
||||||
|
|
||||||
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
|
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
|
||||||
sysctl:
|
ansible.posix.sysctl:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
value: "{{ item.value }}"
|
value: "{{ item.value }}"
|
||||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||||
|
@ -81,4 +81,4 @@
|
||||||
- { name: "net.ipv4.ipfrag_high_thresh", value: "262144" }
|
- { name: "net.ipv4.ipfrag_high_thresh", value: "262144" }
|
||||||
- { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }
|
- { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -1,24 +1,24 @@
|
||||||
---
|
---
|
||||||
- name: Deploy log2mail systemd unit
|
- name: Deploy log2mail systemd unit
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: log2mail.service
|
src: log2mail.service
|
||||||
dest: /etc/systemd/system/log2mail.service
|
dest: /etc/systemd/system/log2mail.service
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: Remove log2mail sysvinit service
|
- name: Remove log2mail sysvinit service
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /etc/init.d/log2mail
|
path: /etc/init.d/log2mail
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: Enable and start log2mail service
|
- name: Enable and start log2mail service
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: log2mail
|
name: log2mail
|
||||||
daemon-reload: yes
|
daemon-reload: yes
|
||||||
state: started
|
state: started
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
|
||||||
- name: log2mail config is present
|
- name: log2mail config is present
|
||||||
blockinfile:
|
ansible.builtin.blockinfile:
|
||||||
dest: /etc/log2mail/config/default
|
dest: /etc/log2mail/config/default
|
||||||
owner: log2mail
|
owner: log2mail
|
||||||
group: adm
|
group: adm
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
# TODO: voir comment faire des backups initiaux des fichiers
|
# TODO: voir comment faire des backups initiaux des fichiers
|
||||||
|
|
||||||
- name: Copy rsyslog.conf
|
- name: Copy rsyslog.conf
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: logs/rsyslog.conf
|
src: logs/rsyslog.conf
|
||||||
dest: /etc/rsyslog.conf
|
dest: /etc/rsyslog.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
@ -11,7 +11,8 @@
|
||||||
when: evolinux_logs_rsyslog_conf | bool
|
when: evolinux_logs_rsyslog_conf | bool
|
||||||
|
|
||||||
- name: Disable logrotate default conf
|
- name: Disable logrotate default conf
|
||||||
command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
|
ansible.builtin.command:
|
||||||
|
cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
|
||||||
args:
|
args:
|
||||||
removes: /etc/logrotate.d/rsyslog
|
removes: /etc/logrotate.d/rsyslog
|
||||||
creates: /etc/logrotate.d/rsyslog.disabled
|
creates: /etc/logrotate.d/rsyslog.disabled
|
||||||
|
@ -19,33 +20,33 @@
|
||||||
when: evolinux_logs_disable_logrotate_rsyslog | bool
|
when: evolinux_logs_disable_logrotate_rsyslog | bool
|
||||||
|
|
||||||
- name: Copy many logrotate files
|
- name: Copy many logrotate files
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: logs/logrotate.d/
|
src: logs/logrotate.d/
|
||||||
dest: /etc/logrotate.d/
|
dest: /etc/logrotate.d/
|
||||||
when: evolinux_logs_logrotate_confs | bool
|
when: evolinux_logs_logrotate_confs | bool
|
||||||
|
|
||||||
- name: Copy rsyslog logrotate file
|
- name: Copy rsyslog logrotate file
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: logs/zsyslog.j2
|
src: logs/zsyslog.j2
|
||||||
dest: /etc/logrotate.d/zsyslog
|
dest: /etc/logrotate.d/zsyslog
|
||||||
when: evolinux_logs_logrotate_confs | bool
|
when: evolinux_logs_logrotate_confs | bool
|
||||||
|
|
||||||
- name: Configure logrotate.conf default rotate value
|
- name: Configure logrotate.conf default rotate value
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/logrotate.conf
|
dest: /etc/logrotate.conf
|
||||||
regexp: "rotate [0-9]+"
|
regexp: "rotate [0-9]+"
|
||||||
replace: "rotate 12"
|
replace: "rotate 12"
|
||||||
when: evolinux_logs_default_rotate | bool
|
when: evolinux_logs_default_rotate | bool
|
||||||
|
|
||||||
- name: Enable logrotate.conf dateext option
|
- name: Enable logrotate.conf dateext option
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/logrotate.conf
|
dest: /etc/logrotate.conf
|
||||||
line: "dateext"
|
line: "dateext"
|
||||||
regexp: "^#?\\s*dateext"
|
regexp: "^#?\\s*dateext"
|
||||||
when: evolinux_logs_default_dateext | bool
|
when: evolinux_logs_default_dateext | bool
|
||||||
|
|
||||||
- name: Enable logrotate.conf dateformat option
|
- name: Enable logrotate.conf dateformat option
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/logrotate.conf
|
dest: /etc/logrotate.conf
|
||||||
line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}"
|
line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}"
|
||||||
regexp: "^#?\\s*dateformat.*"
|
regexp: "^#?\\s*dateformat.*"
|
||||||
|
@ -53,11 +54,11 @@
|
||||||
when: evolinux_logs_default_dateext | bool
|
when: evolinux_logs_default_dateext | bool
|
||||||
|
|
||||||
- name: Disable logrotate.conf dateyesterday option
|
- name: Disable logrotate.conf dateyesterday option
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/logrotate.conf
|
dest: /etc/logrotate.conf
|
||||||
line: "# dateyesterday"
|
line: "# dateyesterday"
|
||||||
regexp: "^\\s*dateyesterday"
|
regexp: "^\\s*dateyesterday"
|
||||||
insertafter: 'dateext'
|
insertafter: 'dateext'
|
||||||
when: evolinux_logs_default_dateext | bool
|
when: evolinux_logs_default_dateext | bool
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
|
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
|
||||||
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
|
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
|
||||||
apt_upgrade: "{{ evolinux_apt_upgrade }}"
|
apt_upgrade: "{{ evolinux_apt_upgrade }}"
|
||||||
apt_basics_components: "{{ 'main contrib non-free' if ansible_virtualization_role == 'host' else 'main' }}"
|
apt_basics_components: "{{ ansible_virtualization_role == 'host' | ternary('main contrib non-free', 'main') }}"
|
||||||
when: evolinux_apt_include | bool
|
when: evolinux_apt_include | bool
|
||||||
|
|
||||||
- name: /etc versioning with Git
|
- name: /etc versioning with Git
|
||||||
|
@ -23,27 +23,27 @@
|
||||||
when: evolinux_etcgit_include | bool
|
when: evolinux_etcgit_include | bool
|
||||||
|
|
||||||
- name: /etc/evolinux base
|
- name: /etc/evolinux base
|
||||||
include: etc-evolinux.yml
|
import_tasks: etc-evolinux.yml
|
||||||
when: evolinux_etcevolinux_include | bool
|
when: evolinux_etcevolinux_include | bool
|
||||||
|
|
||||||
- name: Hostname
|
- name: Hostname
|
||||||
include: hostname.yml
|
import_tasks: hostname.yml
|
||||||
when: evolinux_hostname_include | bool
|
when: evolinux_hostname_include | bool
|
||||||
|
|
||||||
- name: Kernel tuning
|
- name: Kernel tuning
|
||||||
include: kernel.yml
|
import_tasks: kernel.yml
|
||||||
when: evolinux_kernel_include | bool
|
when: evolinux_kernel_include | bool
|
||||||
|
|
||||||
- name: Fstab configuration
|
- name: Fstab configuration
|
||||||
include: fstab.yml
|
import_tasks: fstab.yml
|
||||||
when: evolinux_fstab_include | bool
|
when: evolinux_fstab_include | bool
|
||||||
|
|
||||||
- name: Packages
|
- name: Packages
|
||||||
include: packages.yml
|
import_tasks: packages.yml
|
||||||
when: evolinux_packages_include | bool
|
when: evolinux_packages_include | bool
|
||||||
|
|
||||||
- name: System settings
|
- name: System settings
|
||||||
include: system.yml
|
import_tasks: system.yml
|
||||||
when: evolinux_system_include | bool
|
when: evolinux_system_include | bool
|
||||||
|
|
||||||
- name: Minifirewall
|
- name: Minifirewall
|
||||||
|
@ -67,41 +67,43 @@
|
||||||
# when: evolinux_users_include
|
# when: evolinux_users_include
|
||||||
|
|
||||||
- name: Root user configuration
|
- name: Root user configuration
|
||||||
include: root.yml
|
import_tasks: root.yml
|
||||||
when: evolinux_root_include | bool
|
when: evolinux_root_include | bool
|
||||||
|
|
||||||
- name: Postfix
|
- name: Postfix
|
||||||
include: postfix.yml
|
import_tasks: postfix.yml
|
||||||
when: evolinux_postfix_include | bool
|
when: evolinux_postfix_include | bool
|
||||||
|
|
||||||
- name: Logs management
|
- name: Logs management
|
||||||
include: logs.yml
|
import_tasks: logs.yml
|
||||||
when: evolinux_logs_include | bool
|
when: evolinux_logs_include | bool
|
||||||
|
|
||||||
- name: Default index page
|
- name: Default index page
|
||||||
include: default_www.yml
|
import_tasks: default_www.yml
|
||||||
when: evolinux_default_www_include | bool
|
when: evolinux_default_www_include | bool
|
||||||
|
|
||||||
- name: Hardware drivers and tools
|
- name: Hardware drivers and tools
|
||||||
include: hardware.yml
|
import_tasks: hardware.yml
|
||||||
when: evolinux_hardware_include | bool
|
when:
|
||||||
|
- evolinux_hardware_include | bool
|
||||||
|
- ansible_virtualization_role == "host"
|
||||||
|
|
||||||
- name: Customize for Online.net
|
- name: Customize for Online.net
|
||||||
include: provider_online.yml
|
import_tasks: provider_online.yml
|
||||||
when: evolinux_provider_online_include | bool
|
when: evolinux_provider_online_include | bool
|
||||||
|
|
||||||
- name: Customize for Orange FCE
|
- name: Customize for Orange FCE
|
||||||
include: provider_orange_fce.yml
|
import_tasks: provider_orange_fce.yml
|
||||||
when: evolinux_provider_orange_fce_include | bool
|
when: evolinux_provider_orange_fce_include | bool
|
||||||
|
|
||||||
- name: Override Log2mail service
|
- name: Override Log2mail service
|
||||||
include: log2mail.yml
|
import_tasks: log2mail.yml
|
||||||
when: evolinux_log2mail_include | bool
|
when: evolinux_log2mail_include | bool
|
||||||
|
|
||||||
- include: motd.yml
|
- import_tasks: motd.yml
|
||||||
when: evolinux_motd_include | bool
|
when: evolinux_motd_include | bool
|
||||||
|
|
||||||
- include: utils.yml
|
- import_tasks: utils.yml
|
||||||
when: evolinux_utils_include | bool
|
when: evolinux_utils_include | bool
|
||||||
|
|
||||||
- name: Munin
|
- name: Munin
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: Deploy custom motd
|
- name: Deploy custom motd
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: /etc/motd
|
dest: /etc/motd
|
||||||
force: True
|
force: True
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Install/Update system tools
|
- name: Install/Update system tools
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- locales
|
- locales
|
||||||
- sudo
|
- sudo
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
when: evolinux_packages_system | bool
|
when: evolinux_packages_system | bool
|
||||||
|
|
||||||
- name: Install/Update diagnostic tools
|
- name: Install/Update diagnostic tools
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- strace
|
- strace
|
||||||
- htop
|
- htop
|
||||||
|
@ -39,7 +39,7 @@
|
||||||
when: evolinux_packages_diagnostic | bool
|
when: evolinux_packages_diagnostic | bool
|
||||||
|
|
||||||
- name: Install/Update hardware tools
|
- name: Install/Update hardware tools
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- hdparm
|
- hdparm
|
||||||
- smartmontools
|
- smartmontools
|
||||||
|
@ -47,7 +47,7 @@
|
||||||
when: ansible_virtualization_role == "host"
|
when: ansible_virtualization_role == "host"
|
||||||
|
|
||||||
- name: Install/Update common tools
|
- name: Install/Update common tools
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- vim
|
- vim
|
||||||
- screen
|
- screen
|
||||||
|
@ -62,21 +62,21 @@
|
||||||
when: evolinux_packages_common | bool
|
when: evolinux_packages_common | bool
|
||||||
|
|
||||||
- name: Be sure that openntpd package is absent/purged
|
- name: Be sure that openntpd package is absent/purged
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: openntpd
|
name: openntpd
|
||||||
state: absent
|
state: absent
|
||||||
purge: True
|
purge: True
|
||||||
when: evolinux_packages_purge_openntpd | bool
|
when: evolinux_packages_purge_openntpd | bool
|
||||||
|
|
||||||
- name: the chrony package is absent
|
- name: the chrony package is absent
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: chrony
|
name: chrony
|
||||||
purge: True
|
purge: True
|
||||||
state: absent
|
state: absent
|
||||||
when: evolinux_packages_purge_chrony | bool
|
when: evolinux_packages_purge_chrony | bool
|
||||||
|
|
||||||
- name: Be sure locate/mlocate is absent/purged
|
- name: Be sure locate/mlocate is absent/purged
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- locate
|
- locate
|
||||||
- mlocate
|
- mlocate
|
||||||
|
@ -85,20 +85,20 @@
|
||||||
when: evolinux_packages_purge_locate | bool
|
when: evolinux_packages_purge_locate | bool
|
||||||
|
|
||||||
- name: Install/Update serveur-base meta-package
|
- name: Install/Update serveur-base meta-package
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: serveur-base
|
name: serveur-base
|
||||||
allow_unauthenticated: yes
|
allow_unauthenticated: yes
|
||||||
when: evolinux_packages_serveur_base | bool
|
when: evolinux_packages_serveur_base | bool
|
||||||
|
|
||||||
- name: Install/Update packages for Stretch and later
|
- name: Install/Update packages for Stretch and later
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: net-tools
|
name: net-tools
|
||||||
when:
|
when:
|
||||||
- evolinux_packages_stretch | bool
|
- evolinux_packages_stretch | bool
|
||||||
- ansible_distribution_major_version is version('9', '>=')
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
|
|
||||||
- name: Install/Update packages for Buster and later
|
- name: Install/Update packages for Buster and later
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- spectre-meltdown-checker
|
- spectre-meltdown-checker
|
||||||
- binutils
|
- binutils
|
||||||
|
@ -107,14 +107,14 @@
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
- name: Customize logcheck recipient
|
- name: Customize logcheck recipient
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/logcheck/logcheck.conf
|
dest: /etc/logcheck/logcheck.conf
|
||||||
regexp: '^SENDMAILTO=".*"$'
|
regexp: '^SENDMAILTO=".*"$'
|
||||||
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
|
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
|
||||||
when: evolinux_packages_logcheck_recipient | bool
|
when: evolinux_packages_logcheck_recipient | bool
|
||||||
|
|
||||||
- name: Deleting rpcbind and nfs-common
|
- name: Deleting rpcbind and nfs-common
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- rpcbind
|
- rpcbind
|
||||||
- nfs-common
|
- nfs-common
|
||||||
|
@ -125,7 +125,7 @@
|
||||||
# TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes)
|
# TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes)
|
||||||
|
|
||||||
- name: Configure Listchanges on Jessie
|
- name: Configure Listchanges on Jessie
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/apt/listchanges.conf
|
dest: /etc/apt/listchanges.conf
|
||||||
regexp: '^{{ item.option }}\s*='
|
regexp: '^{{ item.option }}\s*='
|
||||||
line: "{{ item.option }}={{ item.value }}"
|
line: "{{ item.option }}={{ item.value }}"
|
||||||
|
@ -138,7 +138,7 @@
|
||||||
- ansible_distribution_release == "jessie"
|
- ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: apt-listchanges is absent on Stretch and later
|
- name: apt-listchanges is absent on Stretch and later
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: apt-listchanges
|
name: apt-listchanges
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
|
@ -146,4 +146,4 @@
|
||||||
- ansible_distribution_major_version is version('9', '>=')
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
- evolinux_packages_delete_aptlistchanges
|
- evolinux_packages_delete_aptlistchanges
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -1,18 +1,18 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Postfix packages are installed
|
- name: Postfix packages are installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- postfix
|
- postfix
|
||||||
- mailgraph
|
- mailgraph
|
||||||
state: present
|
state: present
|
||||||
when: evolinux_postfix_packages | bool
|
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- postfix
|
- postfix
|
||||||
|
when: evolinux_postfix_packages | bool
|
||||||
|
|
||||||
- name: configure postfix myhostname
|
- name: configure postfix myhostname
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/postfix/main.cf
|
dest: /etc/postfix/main.cf
|
||||||
state: present
|
state: present
|
||||||
line: "myhostname = {{ evolinux_fqdn }}"
|
line: "myhostname = {{ evolinux_fqdn }}"
|
||||||
|
@ -22,7 +22,7 @@
|
||||||
- postfix
|
- postfix
|
||||||
|
|
||||||
- name: configure postfix mynetworks
|
- name: configure postfix mynetworks
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/postfix/main.cf
|
dest: /etc/postfix/main.cf
|
||||||
state: present
|
state: present
|
||||||
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
|
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
|
||||||
|
@ -32,8 +32,8 @@
|
||||||
- postfix
|
- postfix
|
||||||
|
|
||||||
- name: fetch users list
|
- name: fetch users list
|
||||||
shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root"
|
ansible.builtin.shell:
|
||||||
args:
|
cmd: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root"
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: non_root_users_list
|
register: non_root_users_list
|
||||||
|
@ -42,18 +42,18 @@
|
||||||
- postfix
|
- postfix
|
||||||
|
|
||||||
- name: each user is aliased to root
|
- name: each user is aliased to root
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/aliases
|
dest: /etc/aliases
|
||||||
regexp: "^{{ item }}:.*"
|
regexp: "^{{ item }}:.*"
|
||||||
line: "{{ item }}: root"
|
line: "{{ item }}: root"
|
||||||
loop: "{{ non_root_users_list.stdout_lines }}"
|
loop: "{{ non_root_users_list.stdout_lines }}"
|
||||||
notify: newaliases
|
notify: newaliases
|
||||||
when: evolinux_postfix_users_alias_root | bool
|
|
||||||
tags:
|
tags:
|
||||||
- postfix
|
- postfix
|
||||||
|
when: evolinux_postfix_users_alias_root | bool
|
||||||
|
|
||||||
- name: additional users address aliased to root
|
- name: additional users address aliased to root
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/aliases
|
dest: /etc/aliases
|
||||||
regexp: "^{{ item }}:.*"
|
regexp: "^{{ item }}:.*"
|
||||||
line: "{{ item }}: root"
|
line: "{{ item }}: root"
|
||||||
|
@ -65,24 +65,24 @@
|
||||||
- error
|
- error
|
||||||
- bounce
|
- bounce
|
||||||
notify: newaliases
|
notify: newaliases
|
||||||
when: evolinux_postfix_mailer_alias_root | bool
|
|
||||||
tags:
|
tags:
|
||||||
- postfix
|
- postfix
|
||||||
|
when: evolinux_postfix_mailer_alias_root | bool
|
||||||
|
|
||||||
- name: root alias is configured
|
- name: root alias is configured
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/aliases
|
dest: /etc/aliases
|
||||||
regexp: "^root:"
|
regexp: "^root:"
|
||||||
line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}"
|
line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}"
|
||||||
notify: newaliases
|
notify: newaliases
|
||||||
when: evolinux_postfix_root_alias | bool
|
|
||||||
tags:
|
tags:
|
||||||
- postfix
|
- postfix
|
||||||
|
when: evolinux_postfix_root_alias | bool
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
||||||
- name: exim4 is absent
|
- name: exim4 is absent
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- exim4
|
- exim4
|
||||||
- exim4-base
|
- exim4-base
|
||||||
|
@ -90,9 +90,9 @@
|
||||||
- exim4-daemon-light
|
- exim4-daemon-light
|
||||||
purge: yes
|
purge: yes
|
||||||
state: absent
|
state: absent
|
||||||
when: evolinux_postfix_purge_exim | bool
|
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- postfix
|
- postfix
|
||||||
|
when: evolinux_postfix_purge_exim | bool
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
- debug:
|
- ansible.builtin.debug:
|
||||||
msg: "Online DNS servers fails sometimes! Please change them in /etc/resolv.conf."
|
msg: "Online DNS servers fails sometimes! Please change them in /etc/resolv.conf."
|
||||||
|
|
||||||
- name: custom NTP server for Online servers
|
- name: custom NTP server for Online servers
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
nagios_nrpe_default_ntp_server: "ntp.online.net"
|
nagios_nrpe_default_ntp_server: "ntp.online.net"
|
||||||
|
|
||||||
# - meta: flush_handlers
|
# - ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
- name: Customize kernel for Orange FCE
|
- name: Customize kernel for Orange FCE
|
||||||
sysctl:
|
ansible.posix.sysctl:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
value: "{{ item.value }}"
|
value: "{{ item.value }}"
|
||||||
sysctl_file: /etc/sysctl.d/evolinux_fce.conf
|
sysctl_file: /etc/sysctl.d/evolinux_fce.conf
|
||||||
|
@ -10,7 +10,7 @@
|
||||||
- { name: net.ipv4.tcp_keepalive_intvl, value: 60 }
|
- { name: net.ipv4.tcp_keepalive_intvl, value: 60 }
|
||||||
- { name: net.ipv6.conf.all.disable_ipv6, value: 1 }
|
- { name: net.ipv6.conf.all.disable_ipv6, value: 1 }
|
||||||
|
|
||||||
- debug:
|
- ansible.builtin.debug:
|
||||||
msg: "Orange DNS servers suck! Please change them in /etc/resolv.conf."
|
msg: "Orange DNS servers suck! Please change them in /etc/resolv.conf."
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Check if the virtual machine on VMWare Host
|
- name: Check if the virtual machine on VMWare Host
|
||||||
shell: "dmidecode | grep -q 'VMware'"
|
ansible.builtin.shell:
|
||||||
|
cmd: "dmidecode | grep -q 'VMware'"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: vmware_provider
|
register: vmware_provider
|
||||||
failed_when: False
|
failed_when: False
|
||||||
|
@ -9,7 +10,7 @@
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
- name: OpenVM Tools are installed for vmware
|
- name: OpenVM Tools are installed for vmware
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
state: present
|
state: present
|
||||||
name: open-vm-tools
|
name: open-vm-tools
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: chmod 700 /root
|
- name: chmod 700 /root
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /root
|
path: /root
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
when: evolinux_root_chmod | bool
|
when: evolinux_root_chmod | bool
|
||||||
|
|
||||||
- name: "Customize root's bashrc..."
|
- name: "Customize root's bashrc..."
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /root/.bashrc
|
dest: /root/.bashrc
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
create: yes
|
create: yes
|
||||||
|
@ -24,34 +24,35 @@
|
||||||
## .bash_history should be append-only
|
## .bash_history should be append-only
|
||||||
|
|
||||||
- name: Create .bash_history if missing
|
- name: Create .bash_history if missing
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
content: ""
|
content: ""
|
||||||
dest: "/root/.bash_history"
|
dest: "/root/.bash_history"
|
||||||
force: no
|
force: no
|
||||||
when: evolinux_root_bash_history | bool
|
when: evolinux_root_bash_history | bool
|
||||||
|
|
||||||
- name: Set umask in /root/.profile
|
- name: Set umask in /root/.profile
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: "/root/.profile"
|
dest: "/root/.profile"
|
||||||
line: "umask 0077"
|
line: "umask 0077"
|
||||||
regexp: "umask [0-9]+"
|
regexp: "umask [0-9]+"
|
||||||
when: evolinux_root_umask | bool
|
when: evolinux_root_umask | bool
|
||||||
|
|
||||||
- name: "/usr/share/scripts is present in root's PATH"
|
- name: "/usr/share/scripts is present in root's PATH"
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: "/root/.profile"
|
dest: "/root/.profile"
|
||||||
line: "PATH=\"${PATH}:/usr/share/scripts\""
|
line: "PATH=\"${PATH}:/usr/share/scripts\""
|
||||||
when: ansible_distribution_major_version is version('10', '>=')
|
when: ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
- name: Custom git config for root
|
- name: Custom git config for root
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: root/gitconfig
|
src: root/gitconfig
|
||||||
dest: "/root/.gitconfig"
|
dest: "/root/.gitconfig"
|
||||||
force: no
|
force: no
|
||||||
when: evolinux_root_gitconfig | bool
|
when: evolinux_root_gitconfig | bool
|
||||||
|
|
||||||
- name: Is .bash_history append-only
|
- name: Is .bash_history append-only
|
||||||
shell: lsattr /root/.bash_history | grep -E "^.*a.* "
|
ansible.builtin.shell:
|
||||||
|
cmd: lsattr /root/.bash_history | grep -E "^.*a.* "
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: bash_history_append_only
|
register: bash_history_append_only
|
||||||
failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
|
failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
|
||||||
|
@ -59,14 +60,15 @@
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
|
||||||
- name: Set .bash_history append-only
|
- name: Set .bash_history append-only
|
||||||
command: chattr +a /root/.bash_history
|
ansible.builtin.command:
|
||||||
|
cmd: chattr +a /root/.bash_history
|
||||||
when:
|
when:
|
||||||
- evolinux_root_bash_history_appendonly | bool
|
- evolinux_root_bash_history_appendonly | bool
|
||||||
- bash_history_append_only.rc != 0
|
- bash_history_append_only.rc != 0
|
||||||
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
|
- "'Inappropriate ioctl' not in bash_history_append_only.stderr"
|
||||||
|
|
||||||
- name: Setting vim as selected-editor
|
- name: Setting vim as selected-editor
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /root/.selected_editor
|
dest: /root/.selected_editor
|
||||||
regexp: '^SELECTED_EDITOR='
|
regexp: '^SELECTED_EDITOR='
|
||||||
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
|
line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
|
||||||
|
@ -74,7 +76,7 @@
|
||||||
when: evolinux_root_vim_default | bool
|
when: evolinux_root_vim_default | bool
|
||||||
|
|
||||||
- name: Setting vim root configuration
|
- name: Setting vim root configuration
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /root/.vimrc
|
dest: /root/.vimrc
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
create: yes
|
create: yes
|
||||||
|
@ -89,7 +91,7 @@
|
||||||
when: evolinux_root_vim_conf | bool
|
when: evolinux_root_vim_conf | bool
|
||||||
|
|
||||||
- name: disable SSH access for root
|
- name: disable SSH access for root
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
|
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
|
||||||
replace: "PermitRootLogin no"
|
replace: "PermitRootLogin no"
|
||||||
|
@ -99,7 +101,7 @@
|
||||||
|
|
||||||
### Disabled : it seems useless and too dangerous for now
|
### Disabled : it seems useless and too dangerous for now
|
||||||
# - name: remove root from AllowUsers directive
|
# - name: remove root from AllowUsers directive
|
||||||
# replace:
|
# ansible.builtin.replace:
|
||||||
# dest: /etc/ssh/sshd_config
|
# dest: /etc/ssh/sshd_config
|
||||||
# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
|
# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
|
||||||
# replace: '\1\4'
|
# replace: '\1\4'
|
||||||
|
@ -107,4 +109,4 @@
|
||||||
# notify: reload sshd
|
# notify: reload sshd
|
||||||
# when: evolinux_root_disable_ssh
|
# when: evolinux_root_disable_ssh
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: /tmp must be world-writable
|
- name: /tmp must be world-writable
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /tmp
|
path: /tmp
|
||||||
state: directory
|
state: directory
|
||||||
mode: "u=rwx,g=rwx,o=rwxt"
|
mode: "u=rwx,g=rwx,o=rwxt"
|
||||||
when: evolinux_system_chmod_tmp | bool
|
when: evolinux_system_chmod_tmp | bool
|
||||||
|
|
||||||
- name: Setting default locales
|
- name: Setting default locales
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/locale.gen
|
dest: /etc/locale.gen
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
create: yes
|
create: yes
|
||||||
|
@ -21,11 +21,12 @@
|
||||||
when: evolinux_system_locales | bool
|
when: evolinux_system_locales | bool
|
||||||
|
|
||||||
- name: Reconfigure locales
|
- name: Reconfigure locales
|
||||||
command: /usr/sbin/locale-gen
|
ansible.builtin.command:
|
||||||
|
cmd: /usr/sbin/locale-gen
|
||||||
when: evolinux_system_locales and default_locales is changed
|
when: evolinux_system_locales and default_locales is changed
|
||||||
|
|
||||||
- name: Setting default timezone
|
- name: Setting default timezone
|
||||||
timezone:
|
community.general.timezone:
|
||||||
name: "{{ evolinux_system_timezone | mandatory }}"
|
name: "{{ evolinux_system_timezone | mandatory }}"
|
||||||
notify: restart cron
|
notify: restart cron
|
||||||
when: evolinux_system_set_timezone | bool
|
when: evolinux_system_set_timezone | bool
|
||||||
|
@ -37,20 +38,20 @@
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: Ensure automagic vim conf is disabled
|
- name: Ensure automagic vim conf is disabled
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/vim/vimrc
|
dest: /etc/vim/vimrc
|
||||||
regexp: 'let g:skip_defaults_vim ='
|
regexp: 'let g:skip_defaults_vim ='
|
||||||
line: 'let g:skip_defaults_vim = 1'
|
line: 'let g:skip_defaults_vim = 1'
|
||||||
when: evolinux_system_vim_skip_defaults | bool
|
when: evolinux_system_vim_skip_defaults | bool
|
||||||
|
|
||||||
- name: Setting vim as default editor
|
- name: Setting vim as default editor
|
||||||
alternatives:
|
community.general.alternatives:
|
||||||
name: editor
|
name: editor
|
||||||
path: /usr/bin/vim.basic
|
path: /usr/bin/vim.basic
|
||||||
when: evolinux_system_vim_default_editor | bool
|
when: evolinux_system_vim_default_editor | bool
|
||||||
|
|
||||||
- name: Add "umask 027" to /etc/profile.d/evolinux.sh
|
- name: Add "umask 027" to /etc/profile.d/evolinux.sh
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/profile.d/evolinux.sh
|
dest: /etc/profile.d/evolinux.sh
|
||||||
line: "umask 027"
|
line: "umask 027"
|
||||||
create: yes
|
create: yes
|
||||||
|
@ -58,7 +59,7 @@
|
||||||
when: evolinux_system_profile | bool
|
when: evolinux_system_profile | bool
|
||||||
|
|
||||||
- name: Set /etc/adduser.conf DIR_MODE to 0700
|
- name: Set /etc/adduser.conf DIR_MODE to 0700
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/adduser.conf
|
dest: /etc/adduser.conf
|
||||||
regexp: "^DIR_MODE=0755$"
|
regexp: "^DIR_MODE=0755$"
|
||||||
replace: "DIR_MODE=0700"
|
replace: "DIR_MODE=0700"
|
||||||
|
@ -67,7 +68,7 @@
|
||||||
# TODO: trouver comment ne pas faire ça sur Xen Dom-U
|
# TODO: trouver comment ne pas faire ça sur Xen Dom-U
|
||||||
|
|
||||||
- name: Deactivating login on all tty except tty2
|
- name: Deactivating login on all tty except tty2
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/securetty
|
dest: /etc/securetty
|
||||||
line: "tty2"
|
line: "tty2"
|
||||||
create: yes
|
create: yes
|
||||||
|
@ -75,7 +76,7 @@
|
||||||
when: evolinux_system_restrict_securetty | bool
|
when: evolinux_system_restrict_securetty | bool
|
||||||
|
|
||||||
- name: Setting TMOUT to disconnect inactive users
|
- name: Setting TMOUT to disconnect inactive users
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/profile.d/evolinux.sh
|
dest: /etc/profile.d/evolinux.sh
|
||||||
line: "export TMOUT={{ evolinux_system_timeout }}"
|
line: "export TMOUT={{ evolinux_system_timeout }}"
|
||||||
regexp: "^export TMOUT="
|
regexp: "^export TMOUT="
|
||||||
|
@ -86,8 +87,8 @@
|
||||||
#- name: Customizing /etc/fstab
|
#- name: Customizing /etc/fstab
|
||||||
|
|
||||||
- name: Check if cron is installed
|
- name: Check if cron is installed
|
||||||
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
ansible.builtin.shell:
|
||||||
args:
|
cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
check_mode: no
|
check_mode: no
|
||||||
failed_when: False
|
failed_when: False
|
||||||
|
@ -95,7 +96,7 @@
|
||||||
register: is_cron_installed
|
register: is_cron_installed
|
||||||
|
|
||||||
- name: Set verbose logging for cron deamon
|
- name: Set verbose logging for cron deamon
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/default/cron
|
dest: /etc/default/cron
|
||||||
line: "EXTRA_OPTS='-L 15'"
|
line: "EXTRA_OPTS='-L 15'"
|
||||||
create: yes
|
create: yes
|
||||||
|
@ -105,7 +106,7 @@
|
||||||
- evolinux_system_cron_verboselog | bool
|
- evolinux_system_cron_verboselog | bool
|
||||||
|
|
||||||
- name: Modify default umask for cron deamon
|
- name: Modify default umask for cron deamon
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/default/cron
|
dest: /etc/default/cron
|
||||||
line: "umask 022"
|
line: "umask 022"
|
||||||
create: yes
|
create: yes
|
||||||
|
@ -115,7 +116,7 @@
|
||||||
- evolinux_system_cron_umask | bool
|
- evolinux_system_cron_umask | bool
|
||||||
|
|
||||||
- name: Randomize periodic crontabs
|
- name: Randomize periodic crontabs
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/crontab
|
dest: /etc/crontab
|
||||||
regexp: "{{ item.regexp }}"
|
regexp: "{{ item.regexp }}"
|
||||||
replace: "{{ item.replace }}"
|
replace: "{{ item.replace }}"
|
||||||
|
@ -134,7 +135,7 @@
|
||||||
## alert5
|
## alert5
|
||||||
|
|
||||||
- name: Install alert5 init script (jessie/stretch)
|
- name: Install alert5 init script (jessie/stretch)
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: system/alert5.sysvinit.j2
|
src: system/alert5.sysvinit.j2
|
||||||
dest: /etc/init.d/alert5
|
dest: /etc/init.d/alert5
|
||||||
force: no
|
force: no
|
||||||
|
@ -144,7 +145,7 @@
|
||||||
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
|
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
|
||||||
|
|
||||||
- name: Enable alert5 init script (jessie/stretch)
|
- name: Enable alert5 init script (jessie/stretch)
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: alert5
|
name: alert5
|
||||||
enabled: yes
|
enabled: yes
|
||||||
when:
|
when:
|
||||||
|
@ -155,7 +156,7 @@
|
||||||
|
|
||||||
|
|
||||||
- name: Install alert5 init script (buster and later)
|
- name: Install alert5 init script (buster and later)
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: system/alert5.sh.j2
|
src: system/alert5.sh.j2
|
||||||
dest: /usr/share/scripts/alert5.sh
|
dest: /usr/share/scripts/alert5.sh
|
||||||
force: no
|
force: no
|
||||||
|
@ -165,7 +166,7 @@
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
- name: Install alert5 service (buster and later)
|
- name: Install alert5 service (buster and later)
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: alert5.service
|
src: alert5.service
|
||||||
dest: /etc/systemd/system/alert5.service
|
dest: /etc/systemd/system/alert5.service
|
||||||
force: yes
|
force: yes
|
||||||
|
@ -175,7 +176,7 @@
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
- name: Enable alert5 init script (buster and later)
|
- name: Enable alert5 init script (buster and later)
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: alert5
|
name: alert5
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
@ -188,14 +189,15 @@
|
||||||
## network interfaces
|
## network interfaces
|
||||||
|
|
||||||
- name: "Is there an \"allow-hotplug\" interface ?"
|
- name: "Is there an \"allow-hotplug\" interface ?"
|
||||||
command: grep allow-hotplug /etc/network/interfaces
|
ansible.builtin.command:
|
||||||
|
cmd: grep allow-hotplug /etc/network/interfaces
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: grep_hotplug_eni
|
register: grep_hotplug_eni
|
||||||
|
|
||||||
- name: "Network interfaces must be \"auto\" and not \"allow-hotplug\""
|
- name: "Network interfaces must be \"auto\" and not \"allow-hotplug\""
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/network/interfaces
|
dest: /etc/network/interfaces
|
||||||
regexp: "allow-hotplug"
|
regexp: "allow-hotplug"
|
||||||
replace: "auto"
|
replace: "auto"
|
||||||
|
@ -203,6 +205,4 @@
|
||||||
- evolinux_system_eni_auto | bool
|
- evolinux_system_eni_auto | bool
|
||||||
- grep_hotplug_eni.rc == 0
|
- grep_hotplug_eni.rc == 0
|
||||||
|
|
||||||
## /sbin/deny
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
||||||
- meta: flush_handlers
|
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
file: dump-server-state.yml
|
file: dump-server-state.yml
|
||||||
|
|
||||||
- name: "/sbin/deny script is present"
|
- name: "/sbin/deny script is present"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: deny.sh
|
src: deny.sh
|
||||||
dest: /sbin/deny
|
dest: /sbin/deny
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
|
@ -16,7 +16,7 @@
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
- name: update-evobackup-canary script is present
|
- name: update-evobackup-canary script is present
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: update-evobackup-canary
|
src: update-evobackup-canary
|
||||||
dest: /usr/local/bin/update-evobackup-canary
|
dest: /usr/local/bin/update-evobackup-canary
|
||||||
force: True
|
force: True
|
||||||
|
@ -26,26 +26,17 @@
|
||||||
|
|
||||||
# TODO: delete when this has been run once on all our servers
|
# TODO: delete when this has been run once on all our servers
|
||||||
- name: update-evobackup-canary is removed from sbin
|
- name: update-evobackup-canary is removed from sbin
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /usr/local/sbin/update-evobackup-canary
|
path: /usr/local/sbin/update-evobackup-canary
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
# - name: dir-check script is present
|
|
||||||
# copy:
|
|
||||||
# src: "dir-check.sh"
|
|
||||||
# dest: /usr/local/bin/dir-check
|
|
||||||
# force: True
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
# mode: "0755"
|
|
||||||
|
|
||||||
- name: Deploy htop configuration
|
- name: Deploy htop configuration
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: htoprc
|
src: htoprc
|
||||||
dest: /etc/htoprc
|
dest: /etc/htoprc
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: Deploy top configuration file
|
- name: Deploy top configuration file
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /etc/topdefaultrc
|
path: /etc/topdefaultrc
|
||||||
state: absent
|
state: absent
|
||||||
|
|
Loading…
Reference in a new issue