evolix
/
ansible-roles
16
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 28 Wiki Activity

Merge branch 'unstable' into stable
gitea/ansible-roles/pipeline/head This commit looks good Details
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2780|0|2780|0|:zzz: Details
gitea/ansible-roles/pipeline/tag This commit looks good Details

Browse Source
stable 23.04
Jérémy Lecour 1 month ago committed by Jérémy Lecour
parent 37e6b14001 6cd72cf9f4
commit a10cff94d0
467 changed files with 4672 additions and 3548 deletions
Show Stats Download Patch File Download Diff File

18
CHANGELOG.md
Unescape Escape View File

@ -21,6 +21,24 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Security
## [23.04] 2023-04-23
### Added
* graylog: new role
* lxc-php: add support for PHP 8.2 container
### Changed
* Use FQCN (Fully Qualified Collection Name)
* apt: with Debian 12, backports are installed but disabled by default
* openvpn: updated the README file
* pgbouncer: add handler to restart the service
### Fixed
* generate-ldif: Support for Debian 12
## [23.03.1] 2023-03-16
### Added

2
amavis/handlers/main.yml
Unescape Escape View File

@ -1,5 +1,5 @@
---
- name: restart amavis
service:
ansible.builtin.service:
name: amavis
state: restarted

4
amavis/tasks/main.yml
Unescape Escape View File

@ -1,6 +1,6 @@
---
- name: install Amavis
apt:
ansible.builtin.apt:
name:
- postgrey
- amavisd-new
@ -9,7 +9,7 @@
- amavis
- name: configure Amavis
template:
ansible.builtin.template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults
mode: "0644"

6
amazon-ec2/amazon-ec2-evolinux.yml
Unescape Escape View File

@ -9,10 +9,10 @@
aws_region: ca-central-1
tasks:
- include_role:
- ansible.builtin.include_role:
name: evolix/amazon-ec2
tasks_from: setup.yml
- include_role:
- ansible.builtin.include_role:
name: evolix/amazon-ec2
tasks_from: create-instance.yml
@ -51,7 +51,7 @@
- mysql
post_tasks:
- include_role:
- ansible.builtin.include_role:
name: evolix/etc-git
tasks_from: commit.yml
vars:

8
amazon-ec2/tasks/create-instance.yml
Unescape Escape View File

@ -1,7 +1,7 @@
---
- name: Launch new instance(s)
ec2:
amazon.aws.ec2:
state: present
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
@ -16,19 +16,19 @@
register: ec2
- name: Add newly created instance(s) to inventory
add_host:
ansible.builtin.add_host:
hostname: "{{ item.public_dns_name }}"
groupname: launched-instances
ansible_user: admin
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
loop: "{{ ec2.instances }}"
- debug:
- ansible.builtin.debug:
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
loop: "{{ ec2.instances }}"
- name: Wait for SSH to come up on all instances (give up after 2m)
wait_for:
ansible.builtin.wait_for:
state: started
host: "{{ item.public_dns_name }}"
port: 22

2
amazon-ec2/tasks/post-install.yml
Unescape Escape View File

@ -1,5 +1,5 @@
---
- name: Remove admin user
user:
ansible.builtin.user:
name: admin
state: absent

4
amazon-ec2/tasks/setup.yml
Unescape Escape View File

@ -1,7 +1,7 @@
---
- name: Create default security group
ec2_group:
amazon.aws.ec2_group:
name: "{{ ec2_security_group.name }}"
state: present
aws_access_key: "{{ aws_access_key }}"
@ -12,7 +12,7 @@
rules_egress: "{{ ec2_security_group.rules_egress }}"
- name: Create key pair
ec2_key:
amazon.aws.ec2_key:
name: "{{ ec2_keyname }}"
state: present
aws_access_key: "{{ aws_access_key }}"

6
apache/handlers/main.yml
Unescape Escape View File

@ -1,15 +1,15 @@
---
- name: restart apache
service:
ansible.builtin.service:
name: apache2
state: restarted
- name: reload apache
service:
ansible.builtin.service:
name: apache2
state: reloaded
- name: restart munin-node
service:
ansible.builtin.service:
name: munin-node
state: restarted

12
apache/tasks/auth.yml
Unescape Escape View File

@ -1,7 +1,7 @@
---
- name: Init ipaddr_whitelist.conf file
copy:
ansible.builtin.copy:
src: ipaddr_whitelist.conf
dest: /etc/apache2/ipaddr_whitelist.conf
owner: root
@ -12,10 +12,10 @@
- apache
- name: Load IP whitelist task
include: ip_whitelist.yml
ansible.builtin.import_tasks: ip_whitelist.yml
- name: include private IP whitelist for server-status
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/mods-available/status.conf
line: " include /etc/apache2/ipaddr_whitelist.conf"
insertafter: 'SetHandler server-status'
@ -24,7 +24,7 @@
- apache
- name: Copy private_htpasswd
copy:
ansible.builtin.copy:
src: private_htpasswd
dest: /etc/apache2/private_htpasswd
owner: root
@ -36,7 +36,7 @@
- apache
- name: add user:pwd to private htpasswd
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: present
@ -46,7 +46,7 @@
- apache
- name: remove user:pwd from private htpasswd
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: absent

4
apache/tasks/ip_whitelist.yml
Unescape Escape View File

@ -1,7 +1,7 @@
---
- name: add IP addresses to private IP whitelist
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
@ -12,7 +12,7 @@
- ips
- name: remove IP addresses from private IP whitelist
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: absent

4
apache/tasks/log2mail.yml
Unescape Escape View File

@ -1,14 +1,14 @@
---
- name: log2mail is installed
apt:
ansible.builtin.apt:
name: log2mail
state: present
tags:
- apache
- name: Add log2mail config for Apache segfaults
template:
ansible.builtin.template:
src: log2mail-apache.j2
dest: "/etc/log2mail/config/apache"
owner: log2mail

46
apache/tasks/main.yml
Unescape Escape View File

@ -1,7 +1,7 @@
---
- name: packages are installed (Debian 9 or later)
apt:
ansible.builtin.apt:
name:
- apache2
- libapache2-mod-evasive
@ -14,7 +14,7 @@
when: ansible_distribution_major_version is version('9', '>=')
- name: itk package is installed if required (Debian 9 or later)
apt:
ansible.builtin.apt:
name:
- libapache2-mpm-itk
state: present
@ -26,7 +26,7 @@
- apache_mpm == "itk"
- name: packages are installed (jessie)
apt:
ansible.builtin.apt:
name:
- apache2-mpm-itk
- libapache2-mod-evasive
@ -39,7 +39,7 @@
when: ansible_distribution_release == "jessie"
- name: basic modules are enabled
apache2_module:
community.general.apache2_module:
name: '{{ item }}'
state: present
loop:
@ -55,7 +55,7 @@
- apache
- name: basic modules are enabled
apache2_module:
community.general.apache2_module:
name: '{{ item }}'
state: present
loop:
@ -67,7 +67,7 @@
- name: Copy Apache defaults config file
copy:
ansible.builtin.copy:
src: evolinux-defaults.conf
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
owner: root
@ -79,7 +79,7 @@
- apache
- name: Copy Apache custom config file
copy:
ansible.builtin.copy:
src: evolinux-custom.conf
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
owner: root
@ -91,7 +91,7 @@
- apache
- name: disable status.conf
file:
ansible.builtin.file:
dest: /etc/apache2/mods-enabled/status.conf
state: absent
notify: reload apache
@ -99,7 +99,8 @@
- apache
- name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}"
ansible.builtin.command:
cmd: "a2enconf {{ item }}"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
loop:
@ -109,12 +110,12 @@
tags:
- apache
- include: auth.yml
- ansible.builtin.include: auth.yml
tags:
- apache
- name: default vhost is installed
template:
ansible.builtin.template:
src: evolinux-default.conf.j2
dest: /etc/apache2/sites-available/000-evolinux-default.conf
mode: "0640"
@ -124,7 +125,7 @@
- apache
- name: default vhost is enabled
file:
ansible.builtin.file:
src: /etc/apache2/sites-available/000-evolinux-default.conf
dest: /etc/apache2/sites-enabled/000-default.conf
state: link
@ -134,12 +135,13 @@
tags:
- apache
- include: server_status.yml
- ansible.builtin.include: server_status.yml
tags:
- apache
- name: is umask already present?
command: "grep -E '^umask ' /etc/apache2/envvars"
ansible.builtin.command:
cmd: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False
changed_when: False
register: envvar_grep_umask
@ -148,7 +150,7 @@
- apache
- name: Add a mark in envvars for umask
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK"
block: |
@ -159,13 +161,13 @@
tags:
- apache
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
tags:
- apache
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -175,7 +177,7 @@
- apache
- name: "Install save_apache_status.sh"
copy:
ansible.builtin.copy:
src: save_apache_status.sh
dest: /usr/share/scripts/save_apache_status.sh
mode: "0755"
@ -184,7 +186,7 @@
- apache
- name: "logrotate: {{ apache_logrotate_frequency }}"
replace:
ansible.builtin.replace:
dest: /etc/logrotate.d/apache2
regexp: "(daily|weekly|monthly)"
replace: "{{ apache_logrotate_frequency }}"
@ -192,19 +194,19 @@
- apache
- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
replace:
ansible.builtin.replace:
dest: /etc/logrotate.d/apache2
regexp: '^(\s+rotate) \d+$'
replace: '\1 {{ apache_logrotate_rotate }}'
tags:
- apache
- include: log2mail.yml
- ansible.builtin.include: log2mail.yml
when: apache_log2mail_include
tags:
- apache
- include: munin.yml
- ansible.builtin.include: munin.yml
when: apache_munin_include | bool
tags:
- apache

11
apache/tasks/munin.yml
Unescape Escape View File

@ -1,7 +1,7 @@
---
- name: "Install munin-node and core plugins packages"
apt:
ansible.builtin.apt:
name:
- munin-node
- munin-plugins-core
@ -11,7 +11,7 @@
- munin
- name: "Enable Munin plugins"
file:
ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
@ -25,7 +25,7 @@
- munin
- name: "Install fcgi packages for Munin graphs"
apt:
ansible.builtin.apt:
name:
- libapache2-mod-fcgid
- libcgi-fast-perl
@ -36,7 +36,8 @@
- munin
- name: "Enable libapache2-mod-fcgid"
command: a2enmod fcgid
ansible.builtin.command:
cmd: a2enmod fcgid
register: cmd_enable_fcgid
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
notify: restart apache
@ -45,7 +46,7 @@
- munin
- name: "Apache has access to /var/log/munin/"
file:
ansible.builtin.file:
path: /var/log/munin/
group: www-data
tags:

26
apache/tasks/server_status.yml
Unescape Escape View File

@ -1,7 +1,7 @@
---
- name: server status dirname exists
file:
ansible.builtin.file:
dest: "{{ apache_serverstatus_suffix_file | dirname }}"
mode: "0700"
owner: root
@ -9,7 +9,7 @@
state: directory
- name: set apache serverstatus suffix if provided
copy:
ansible.builtin.copy:
dest: "{{ apache_serverstatus_suffix_file }}"
# The last character "\u000A" is a line feed (LF), it's better to keep it
content: "{{ apache_serverstatus_suffix }}\u000A"
@ -17,51 +17,53 @@
when: apache_serverstatus_suffix | length > 0
- name: generate random string for server-status suffix
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
ansible.builtin.shell:
cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
args:
creates: "{{ apache_serverstatus_suffix_file }}"
- name: read apache server status suffix
command: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
ansible.builtin.command:
cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
changed_when: False
check_mode: no
register: new_apache_serverstatus_suffix
- name: overwrite apache_serverstatus_suffix
set_fact:
ansible.builtin.set_fact:
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
- debug:
- ansible.builtin.debug:
var: apache_serverstatus_suffix
verbosity: 1
- name: replace server-status suffix in default site index
replace:
ansible.builtin.replace:
dest: /var/www/index.html
regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ apache_serverstatus_suffix }}"
- name: add server-status suffix in default site index if missing
replace:
ansible.builtin.replace:
dest: /var/www/index.html
regexp: '"/server-status-?"'
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
- name: add server-status suffix in default VHost
replace:
ansible.builtin.replace:
dest: /etc/apache2/sites-available/000-evolinux-default.conf
regexp: '<Location /server-status-?>'
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
notify: reload apache
- name: Munin configuration has a section for apache
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "[apache_*]"
create: no
- name: apache-status URL is configured for Munin
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
regexp: 'env.url http://[^\\/]+/server-status'
@ -70,7 +72,7 @@
notify: restart munin-node
- name: add mailgraph URL in index.html
lineinfile:
ansible.builtin.lineinfile:
dest: /var/www/index.html
state: present
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'

2
apt/defaults/main.yml
Unescape Escape View File

@ -8,6 +8,8 @@ apt_upgrade: False
apt_install_basics: True
apt_basics_components: "main"
# With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports`
apt_install_backports: False
apt_backports_components: "main"

3
apt/files/bookworm_backports_preferences
Unescape Escape View File

@ -0,0 +1,3 @@
Package: *
Pin: release a=bookworm-backports
Pin-Priority: 50

126
apt/files/deb822-migration.py
Unescape Escape View File

@ -3,20 +3,36 @@
import re
import sys
import os
if len(sys.argv) > 1:
src_file = sys.argv[1]
else:
print("You must provide a source file as first argument", file=sys.stderr)
sys.exit(1)
if not os.access(src_file, os.R_OK):
print(src_file, "is not readable", file=sys.stderr)
sys.exit(2)
pattern = re.compile('^(?P<type>deb|deb-src) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
sources = {}
import select
import apt
import apt_pkg
# Order matters !
destinations = {
"debian-security": "security.sources",
".*-backports": "backports.sources",
".debian.org": "system.sources",
"mirror.evolix.org": "system.sources",
"pub.evolix.net": "evolix_public_old.sources",
"pub.evolix.org": "evolix_public.sources",
"artifacts.elastic.co": "elastic.sources",
"download.docker.com": "docker.sources",
"downloads.linux.hpe.com": "hp.sources",
"pkg.jenkins-ci.org": "jenkins.sources",
"packages.sury.org": "sury.sources",
"repo.mongodb.org": "mongodb.sources",
"apt.newrelic.com": "newrelic.sources",
"deb.nodesource.com": "nodesource.sources",
"dl.yarnpkg.com": "yarn.sources",
"apt.postgresql.org": "postgresql.sources",
"packages.microsoft.com/repos/vscode": "microsoft-vscode.sources",
"packages.microsoft.com/repos/ms-teams": "microsoft-teams.sources",
"updates.signal.org": "signal.sources",
"downloads.1password.com/linux/debian": "1password.sources",
"download.virtualbox.org": "virtualbox.sources"
}
sources_parts = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
def split_options(raw):
table = str.maketrans({
@ -27,25 +43,44 @@ def split_options(raw):
return options
with open(src_file,'r') as file:
for line in file:
def auto_destination(uri):
basename = uri
basename = re.sub('\[[^\]]+\]', '', basename)
basename = re.sub('\w+://', '', basename)
basename = '_'.join(re.sub('[^a-zA-Z0-9]', ' ', basename).split())
return '%s.sources' % basename
def destination(matches):
for search_str in destinations.keys():
search_pattern = re.compile(f'{search_str}(/|\s|$)')
if re.search(search_pattern, matches['uri']) or re.search(search_pattern, matches["suite"]):
return destinations[search_str]
# fallback if nothing matches
return auto_destination(matches['uri'])
def prepare_sources(lines):
sources = {}
pattern = re.compile('^(?: *(?P<type>deb|deb-src)) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
for line in lines:
matches = re.match(pattern, line)
if matches is not None:
# print(matches.groupdict())
uri = matches['uri']
if matches is not None:
dest = destination(matches)
options = {}
if matches.group('options'):
for option in split_options(matches['options']):
if "=" in option:
key, value = option.split("=")
options[key] = value
if uri in sources:
sources[uri]["Types"].add(matches["type"])
sources[uri]["URIs"] = matches["uri"]
sources[uri]["Suites"].add(matches["suite"])
sources[uri]["Components"].update(matches["components"].split(' '))
if dest in sources:
sources[dest]["Types"].add(matches["type"])
sources[dest]["URIs"] = matches["uri"]
sources[dest]["Suites"].add(matches["suite"])
sources[dest]["Components"].update(matches["components"].split(' '))
else:
source = {
"Types": {matches['type']},
@ -83,14 +118,35 @@ with open(src_file,'r') as file:
else:
source["Targets"] = {options["target"]}
sources[uri] = source
for i, (uri, source) in enumerate(sources.items()):
if i > 0:
print("")
for key, value in source.items():
if isinstance(value, str):
print("{}: {}".format(key, value) )
else:
print("{}: {}".format(key, ' '.join(value)) )
i += 1
sources[dest] = source
return sources
def save_sources(sources, output_dir):
# print(output_dir)
# print(sources)
for dest, source in sources.items():
source_path = output_dir + dest
with open(source_path, 'w') as file:
for key, value in source.items():
if isinstance(value, str):
file.write("{}: {}\n".format(key, value))
else:
file.write("{}: {}\n".format(key, ' '.join(value)))
def main():
if select.select([sys.stdin, ], [], [], 0.0)[0]:
sources = prepare_sources(sys.stdin)
# elif len(sys.argv) > 1:
# sources = prepare_sources([sys.argv[1]])
else:
print("You must provide source lines to stdin", file=sys.stderr)
sys.exit(1)
output_dir = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
save_sources(sources, output_dir)
if __name__ == "__main__":
main()
sys.exit(0)

55
apt/files/deb822-migration.sh
Unescape Escape View File

@ -10,39 +10,40 @@ if [ ! -x "${deb822_migrate_script}" ]; then
exit 1
fi
dest_dir="/etc/apt/sources.list.d"
sources_from_file() {
grep --extended-regexp "^\s*(deb|deb-src) " $1
}
rc=0
count=0
migrate_file() {
legacy_file=$1
deb822_file=$2
if [ -f "${legacy_file}" ]; then
if [ -f "${deb822_file}" ]; then
>&2 echo "ERROR: '${deb822_file}' already exists"
rc=2
else
${deb822_migrate_script} "${legacy_file}" > "${deb822_file}"
if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then
mv "${legacy_file}" "${legacy_file}.bak"
echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak"
else
>&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'"
rc=2
fi
fi
if [ -f /etc/apt/sources.list ]; then
sources_from_file /etc/apt/sources.list | ${deb822_migrate_script}
python_rc=$?
if [ ${python_rc} -eq 0 ]; then
mv /etc/apt/sources.list /etc/apt/sources.list.bak
echo "OK: /etc/apt/sources.list"
count=$(( count + 1 ))
else
>&2 echo "ERROR: '${legacy_file}' not found"
rc=2
>&2 echo "ERROR: failed migration for /etc/apt/sources.list"
rc=1
fi
}
fi
migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources"
for file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
sources_from_file "${file}" | ${deb822_migrate_script}
python_rc=$?
# shellcheck disable=SC2044
for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
deb822_file=$(basename "${legacy_file}" .list)
migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources"
if [ ${python_rc} -eq 0 ]; then
mv "${file}" "${file}.bak"
echo "OK: ${file}"
count=$(( count + 1 ))
else
>&2 echo "ERROR: failed migration for ${file}"
rc=1
fi
done
echo "${count} file(s) migrated"
exit ${rc}

BIN
apt/files/pub_evolix.gpg
View File

Binary file not shown.

28
apt/tasks/backports.deb822.yml
Unescape Escape View File

@ -0,0 +1,28 @@
---
- name: Backports deb822 sources list is installed
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.sources.j2'
dest: /etc/apt/sources.list.d/backports.sources
force: yes
mode: "0640"
register: apt_backports_sources
tags:
- apt
- name: Backports configuration
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
mode: "0640"
register: apt_backports_config
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
when: apt_backports_sources is changed or apt_backports_config is changed
tags:
- apt

45
apt/tasks/backports.oneline.yml
Unescape Escape View File

@ -0,0 +1,45 @@
---
- name: No backports config in default sources.list
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
tags:
- apt
- name: Backports sources list is installed
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: yes
mode: "0640"
register: apt_backports_list
tags:
- apt
- name: Backports configuration
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
mode: "0640"
register: apt_backports_config
tags:
- apt
- name: Archived backport are accepted (jessie)
ansible.builtin.lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
state: present
tags:
- apt
when: ansible_distribution_release == "jessie"
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_backports_list is changed or apt_backports_config is changed

50
apt/tasks/backports.yml
Unescape Escape View File

@ -1,45 +1,13 @@
---
- name: No backports config in default sources.list
lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
tags:
- apt
- name: Backports sources list is installed
template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: yes
mode: "0640"
register: apt_backports_list
tags:
- apt
# Backward compatibility task file
- name: Backports configuration
copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
mode: "0640"
register: apt_backports_config
tags:
- apt
- name: Install backports repositories (Debian <12)
ansible.builtin.import_tasks: backports.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Archived backport are accepted (jessie)
lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
state: present
when: ansible_distribution_release == "jessie"
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_backports_list is changed or apt_backports_config is changed
tags:
- apt
- name: Install backports repositories (Debian >=12)
ansible.builtin.import_tasks: backports.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

45
apt/tasks/basics.deb822.yml
Unescape Escape View File

@ -0,0 +1,45 @@
---
- name: Change basics repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.sources.j2"
dest: /etc/apt/sources.list.d/system.sources
mode: "0644"
force: yes
register: apt_basic_sources
tags:
- apt
- name: Change security repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_security.sources.j2"
dest: /etc/apt/sources.list.d/security.sources
mode: "0644"
force: yes
register: apt_security_sources
tags:
- apt
- name: Find one-line APT sources
ansible.builtin.find:
paths: /etc/apt
patterns: '*.list'
register: list_files
- name: Disable one-line-formatted sources
ansible.builtin.command:
cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak"
environment:
LC_ALL: C
loop: "{{ list_files.files }}"
register: rename_cmd
changed_when: "'renamed' in rename_cmd.stdout"
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_basic_list is changed or apt_security_sources is changed

18
apt/tasks/basics.oneline.yml
Unescape Escape View File

@ -0,0 +1,18 @@
---
- name: Change basics repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
force: yes
register: apt_basic_list
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_basic_list is changed

38
apt/tasks/basics.yml
Unescape Escape View File

@ -1,33 +1,13 @@
---
- name: Change basics repositories
template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
force: yes
register: apt_basic_list
tags:
- apt
# Backward compatibility task file
- name: Clean GANDI sources.list.d/debian-security.list
file:
path: '{{ item }}'
state: absent
loop:
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-jessie.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-buster.list
- /etc/apt/sources.list.d/debian-bullseye.list
- /etc/apt/sources.list.d/debian-update.list
when: apt_clean_gandi_sourceslist | bool
tags:
- apt
- name: Install basics repositories (Debian <12)
ansible.builtin.import_tasks: basics.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Apt update
apt:
update_cache: yes
when: apt_basic_list is changed
tags:
- apt
- name: Install basics repositories (Debian >=12)
ansible.builtin.import_tasks: basics.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

12
apt/tasks/config.yml
Unescape Escape View File

@ -1,7 +1,7 @@
---
- name: Evolinux config for APT
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
@ -12,12 +12,12 @@
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
when: apt_evolinux_config | bool
tags:
- apt
when: apt_evolinux_config | bool
- name: DPkg invoke hooks
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item }}"
create: yes
@ -28,14 +28,14 @@
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
when: apt_hooks | bool
tags:
- apt
when: apt_hooks | bool
- name: Remove Aptitude
apt:
ansible.builtin.apt:
name: aptitude
state: absent
when: apt_remove_aptitude | bool
tags:
- apt
when: apt_remove_aptitude | bool

45
apt/tasks/evolix_public.deb822.yml
Unescape Escape View File

@ -0,0 +1,45 @@
---
- name: Look for legacy apt keyring
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
tags:
- apt
when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
ansible.builtin.template:
src: evolix_public.sources.j2
dest: /etc/apt/sources.list.d/evolix_public.sources
force: yes
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_evolix_public is changed

45
apt/tasks/evolix_public.oneline.yml
Unescape Escape View File

@ -0,0 +1,45 @@
---
- name: Look for legacy apt keyring
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
tags:
- apt
when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
ansible.builtin.template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_evolix_public is changed

50
apt/tasks/evolix_public.yml
Unescape Escape View File

@ -1,45 +1,13 @@
---
- name: Look for legacy apt keyring
stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
# Backward compatibility task file
- name: Evolix embedded GPG key is absent
apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
when: _trusted_gpg_keyring.stat.exists
tags:
- apt
- name: Install Evolix Public repositories (Debian <12)
ansible.builtin.import_tasks: evolix_public.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Add Evolix GPG key
copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_evolix_public is changed
tags:
- apt
- name: Install Evolix Public repositories (Debian >=12)
ansible.builtin.import_tasks: evolix_public.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

27
apt/tasks/hold_packages.yml
Unescape Escape View File

@ -1,11 +1,11 @@
---
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: "hold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
executable: /bin/bash
check_mode: no
register: apt_mark
@ -18,7 +18,7 @@
- apt
- name: "/etc/evolinux is present"
file:
ansible.builtin.file:
dest: /etc/evolinux
mode: "0700"
state: directory
@ -26,7 +26,7 @@
- apt
- name: "hold packages (config)"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -36,8 +36,8 @@
- apt
- name: "unhold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
executable: /bin/bash
check_mode: no
register: apt_mark
@ -48,7 +48,7 @@
- apt
- name: "unhold packages (config)"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -58,7 +58,7 @@
- apt
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -68,7 +68,7 @@
- apt
- name: Check scripts is installed
copy:
ansible.builtin.copy:
src: check_held_packages.sh
dest: /usr/share/scripts/check_held_packages.sh
force: yes
@ -77,7 +77,8 @@
- apt
- name: Check if Cron is installed
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
ansible.builtin.shell:
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
register: is_cron
changed_when: False
failed_when: False
@ -86,7 +87,7 @@
- apt
- name: Check for held packages (script)
cron:
ansible.builtin.cron:
cron_file: apt-hold-packages
name: check_held_packages
job: "/usr/share/scripts/check_held_packages.sh"
@ -97,6 +98,6 @@
day: "{{ apt_check_hold_cron_day }}"
month: "{{ apt_check_hold_cron_month }}"
state: "present"
when: is_cron.rc == 0
tags:
- apt
when: is_cron.rc == 0

98
apt/tasks/main.yml
Unescape Escape View File

@ -1,52 +1,116 @@
---
- name: "Compatibility check"
fail:
msg: only compatible with Debian >= 8
when:
- ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
ansible.builtin.assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=')
msg: Only compatible with Debian >= 8
tags:
- apt
- name: "apt-transport-https is installed for https repositories (before Buster)"
ansible.builtin.apt:
name:
- apt-transport-https
tags:
- apt
when: ansible_distribution_major_version is version('10', '<')
- name: "certificates are installed for https repositories"
ansible.builtin.apt:
name:
- ca-certificates
tags:
- apt
- name: Custom configuration
include: config.yml
ansible.builtin.import_tasks: config.yml
when: apt_config | bool
tags:
- apt
- name: Install basics repositories
include: basics.yml
when: apt_install_basics | bool
- name: Install basics repositories (Debian <12)
ansible.builtin.import_tasks: basics.oneline.yml
tags:
- apt
when:
- apt_install_basics | bool
- ansible_distribution_major_version is version('12', '<')
- name: Install APT Backports repository
include: backports.yml
when: apt_install_backports | bool
- name: Install basics repositories (Debian >=12)
ansible.builtin.import_tasks: basics.deb822.yml
tags:
- apt
when:
- apt_install_basics | bool
- ansible_distribution_major_version is version('12', '>=')
- name: Install Evolix Public APT repository
include: evolix_public.yml
when: apt_install_evolix_public | bool
- name: Install backports repositories (Debian <12)
ansible.builtin.import_tasks: backports.oneline.yml