From 4c4a08f15ed4e33110c1ca81dd5c2316980e1ea9 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 17 Mar 2023 13:55:48 +0100 Subject: [PATCH 01/45] apt: Add binary key for our repository (for Jessie or less) --- apt/files/pub_evolix.gpg | Bin 0 -> 3948 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 apt/files/pub_evolix.gpg diff --git a/apt/files/pub_evolix.gpg b/apt/files/pub_evolix.gpg new file mode 100644 index 0000000000000000000000000000000000000000..ab6ab33f1ef06ecda418746a0da090eee50f46b1 GIT binary patch literal 3948 zcmajhWmFT48o+TjdUV$$Mms=iAkyFlh$tNb5+kHzv@|k8y1~&XIZ{ee=@=nM2qG#X z3S*>*2)pll-*eBs-|pAvJkPi1{La4+NJoZjfG-0WNrqHPSz7DPT@#>%)CL;3pYa!^ zkGoim+jr&%X$~j6&OF;SBXCH;8}l4p=elBhdA6UG$ye#T2D4>aB0WfLTj>49{Bn#@ zhw`-O8*0H*)0$gv#!_!K^8GYc8%@2Hy%{V{29o)#j(|N-EQ8!B^gqoka<)KoSBHen zFtiw$X$&s~PMA?dhJe{}F#Wcw(EG9|r%uGQX6$uT$=L_=(MBc2u=;ww%hyu{z|e4! z@Z&dmZw{EaD>}=Oc`$mWuUN|XLiU1BsGoHxCXA8X7^2N2XFdQ7-8v}1Fz>794MbGa z_7K#v5Veu#4k@}`w^-r;?fQ|g?L}y1aOuGxoX&Ts%SNhu4yO)p0~mum#8^7;fd$<+ zZ9bQWJy(AqvNRe$KPwFEp3qxM8%fw^7)7x0ShzBP%(*(G5T1+fnNJ6jih}$bG(Ldh z!x!sr*Gx3qTX?AiAk+7_i;-3DN`>VIu9oS(UT3{4nrC`PMuaBWEEv7@Ig&sAZle;I zB!zgb)&FjIFu#-|Jw~{UX<7U~(|*NhD+j zJ9LMlc_~bLC3LDABA!w5z#sk+!?wC|#klRxWd*5bSDpJE%7K)*`qagZE^SDMCNSFX5fR{JmK|Y>tA^e7cj-GBveq(1}ACy~w zkAEn?inCv!o3As}H_%bT`QJ-YF8*psKvOan0Ek45U4V?(6v16VRg<-Urh_;JLwVcqA0_+qE>9ve;w7jC_`yCGT|9rQ`Iy0F z#;*obI>>K91Z(DRDz0bB#XErF3*RvRh+)a88Reso*u&M9W}J~fr3<(h?}b8+v%Rl; zKM7J^sOQMQUSaUMp6yXTptP1rb2LVIb(z`gr-z2&XJHM`{}k`uFsN^ZYIaB@65|dO zIUHOx7N0XUr_q?vN^~z+ROpXpCb+sl&0_o&a?l0)3ECC=aPK8gsu=Dsg+1mT`|}?7 z9%2Ba`TkD{9;FAkDygqh!4p+-&&*H|(0Rg%f3=&7Bd;P^U zeEgt1B%QH-E6Kx90XDp!VN{_vRlkcpUJ5l#KC1Ot&c&EMSYKAh8$xzpkIVXyK7 zml4Tcybo_=&MUooGm?HoUD%;>ykuk5Ybe!xRvQiyqTb?;@H*GhTtr?fqpM5wYb+8Ezsv^sITlS%=aOjX;t+Ww*}6CiBnny8o;Hq9_GM5uYB zZ3W)PlzgjQDZ{BEP-#wMfJU|20R6AS7L4ChD6R3N6EBFV>jWx{XdBce?|o6jb`t5H zwtHy-KOl+^Fv!V4ZIb$VTyk2Z9~+mhH$~cUDLzn-{>?WkQbHS0<`(B`cZZb>h-@B` zobB}3IRz`U=_iTK(XQ-cMZ+ULB(bU&Rj%uMTyCw$m_f`>8WNm5W*zjyB1WYtuN!I1 zn)A2*^kcsbQciN>C#iuRKHA{=F;le0sV+9IaZfok@-BB$%Urt_w-{&S?PylC+_NmT zz#lH953)_f+9LIQ)cSZxiNLm$wR+z4s4Ay#G;7Tzyd~#~!SYNnnN#zPl?r|TF}qwl z%@I>Xx&hrpj!EXDAZbm8$C8zW^Hyyy4M@IiCbC+%S6@;RWYR0_o;LrwUaDZlM3>JN zH#0S`N%`Y@@?gr1FJ?sk4>Pp? zF!R5hkh?Mv!&mfzc|%E{%SCy;Luw^XyT|B$gq3jjB~{7K03-x8D;P9!1(VmmB2y^W zWLPxrOM_qB)iP-uv2Y6Z@PqsE!N9Fx<8Hb+hu`6yyklCPzd=7P4Fd7_#=_-M=_-nO zO}+ClQS_=wWV8(hY?i$*)u=*qRdDB$W$wfM)Q_ah&k)v>r-V@{cWJ~W!NN|dXU|rN z(dGQY=QhD_Y%D=yZzWFUd3L92ZT2Aj!{w%*S~U&uNMJ}G_Z4zQ?6P{yl!p1;I$f35Kn1Q2C+m~&p~$=SPgZ+b!)g3?mbT9=HT?Rr!98-|`H5(Mst z=iVCj(vrTF$PL4pSfg~4nL?ZaRPTpRb>+xOXH8WF<#FbL-U(L1M*Gs%=WBx@*(fbp z%e77l^d8w5Q`bTSa2>HrRZIQ*c@&Br@4nd_X&W&;YFE0;*w=ih{I>WX zPW0UV%A9%`R*_#89KGgW$w=y=;6esmQG}Dad<%+iQK2l3O>o&{XD5!j^w_yIdv_g$ z$6qAGCN9Q!*S3Ij&x*Qjjv#Z)k1$d@iUQrL`?c+P7h{+vyBd?cgssD?r04EJZA=H` zo-Kl~N#`Q$ql()6NG(;|SgB+t-q0otWTV&wdVKov-B*8YIeg_Huky7c0jzf=^Y&u* z^KtNE6qitOjDplqiTz2_V=0zYyB9vXoXG0rd!cZim)7WaCr&B9(!2*lKOF_>M6^bF z3tAKt9RULnzMZq4I~F?)@jz(Pj4@^4X9+7rJWV4JF>rD5k;`;VXm3}mMeU|A_B6Ep z(?FoCu(3Yu=(|jt+HV8fCqb$dC<~fnypAMDoSP+)f>O_zPivz<`b08|%Y;OK(Z?kp zV3IKkTG&Y$_q!*)DQp~&RkdHvmi&to)k5+*J0+}+F)uiWvrm_0eGdRyUnZ+gz`laa zgjU6L)aJD9^~6o5-0MEFJoWR?3$2gKNnToeU%%wg5x0)-7)hx-;c}nJ?CaVe2!6d0 zF57D}q{VC1%pQwe_jd*tD3^Uu`1w=9<}LujUPF#Ys(TGpiB_Ky=;W2GJ#CS-8J zO#B8Kh483kdt*uWq+;}Xk=5+!Bd1NH9Cabs`puiMQULFzqXqa?`C!$vtMgU$Z0tXr zkoo^#PW0S>JV0`4(l@RoK#l*_$?E`qGOoWQy7reu^kd{N4{Qztp0x496G}&UzNKFq z{5yE`-2MjWKNE#qMv@r)j82&~)#+4Q=GbV?upURBMdHo9fyS{7Ety-iR=4;;ySzzO zDh&32ew(Om`9dFdmtuUs;C_%zH?-WonBlitkz^jS3f#+{_OIWG5|Um|O%U)!|X zt`uAHNT+aYlfKF=v3gpmBcu_0tv=VOBtkxJ;__1Fab`+8Vaj$wHd$FUOp5)cNoDIw z-fj$g#-RF@67cV9B(0@a&v^c^q-(Xc-nX_2}i!-RLdT-Wp%h2s}4 zSwnK$BqxpTFz{uBFJMmP1QYQHRt6#vs=F@`%rn&0;AJKvNqlE9K1}c4X=VTA5bY)a zbzPyE3rl@x>6{a(b2iW}`Q$})Ks*b-t5Wjd)zgZmS%u9wi9*XYAD^hx!O3GfEp(3M z07OpUiJsoum|%Mkz>sS0s#f}b_PAqu={IEu)XQfD1pi?&UQcbzM$t6SfyY61;n`hS zuvBaaS|($LlbI8-*aVzbT{VzZ?&lME&7rzNpCE{YPjM6oT|a@0fZ0G=6DUdFmj;B4 zQHjKH@g=DJv*tU({JxR!4r;04Q9dE~rBM{rqGfPIf6wTxEV%n|_ICkp^9Kv3ue!u) zSXWwOeQ#I4Vz?5j{6v?ZfJqjtKn@*AL~uwXy};xID|gv~-C|O*stkCAPw^YK+iQvq zy6UvV+O5}wbx*gAzkz9 zyIP8i=nV21ck=;qK|7{MHTcR#qM&YbwaMVmtX3HC6ZeQDOmGxIi8IGwL>vmmrF2=b&en9r@^qmEE3r-IZhO|a zc2ESiOMInLP5JyruA0Qvdp36@*E>!Iu3U3~9Rz=uxAD6MQ+ulx97fCj8~xXD>v zZ~nO<|EenSmTZLhpu~Mu1$o2HEA5 Date: Fri, 17 Mar 2023 20:05:42 +0100 Subject: [PATCH 02/45] apt: use deb822 format on Debian 12 --- apt/files/deb822-migration.py | 122 +++++++++++++----- apt/files/deb822-migration.sh | 61 ++++----- apt/tasks/backports.deb822.yml | 35 +++++ .../{backports.yml => backports.oneline.yml} | 4 +- apt/tasks/basics.deb822.yml | 28 ++++ apt/tasks/basics.oneline.yml | 18 +++ apt/tasks/basics.yml | 33 ----- apt/tasks/evolix_public.deb822.yml | 45 +++++++ ...x_public.yml => evolix_public.oneline.yml} | 4 +- apt/tasks/hold_packages.yml | 2 +- apt/tasks/main.yml | 90 +++++++++++-- apt/templates/bookworm_backports.sources.j2 | 7 + apt/templates/bookworm_basics.list.j2 | 5 - apt/templates/bookworm_basics.sources.j2 | 9 ++ apt/templates/bookworm_security.sources.j2 | 7 + 15 files changed, 351 insertions(+), 119 deletions(-) mode change 100644 => 100755 apt/files/deb822-migration.py mode change 100644 => 100755 apt/files/deb822-migration.sh create mode 100644 apt/tasks/backports.deb822.yml rename apt/tasks/{backports.yml => backports.oneline.yml} (100%) create mode 100644 apt/tasks/basics.deb822.yml create mode 100644 apt/tasks/basics.oneline.yml delete mode 100644 apt/tasks/basics.yml create mode 100644 apt/tasks/evolix_public.deb822.yml rename apt/tasks/{evolix_public.yml => evolix_public.oneline.yml} (100%) create mode 100644 apt/templates/bookworm_backports.sources.j2 delete mode 100644 apt/templates/bookworm_basics.list.j2 create mode 100644 apt/templates/bookworm_basics.sources.j2 create mode 100644 apt/templates/bookworm_security.sources.j2 diff --git a/apt/files/deb822-migration.py b/apt/files/deb822-migration.py old mode 100644 new mode 100755 index 10ee47ae..a8873923 --- a/apt/files/deb822-migration.py +++ b/apt/files/deb822-migration.py @@ -3,20 +3,36 @@ import re import sys import os +import select +import apt +import apt_pkg -if len(sys.argv) > 1: - src_file = sys.argv[1] -else: - print("You must provide a source file as first argument", file=sys.stderr) - sys.exit(1) +# Order matters ! +destinations = { + "debian-security": "security.sources", + ".*-backports": "backports.sources", + ".debian.org": "system.sources", + "mirror.evolix.org": "system.sources", + "pub.evolix.net": "evolix_public_old.sources", + "pub.evolix.org": "evolix_public.sources", + "artifacts.elastic.co": "elastic.sources", + "download.docker.com": "docker.sources", + "downloads.linux.hpe.com": "hp.sources", + "pkg.jenkins-ci.org": "jenkins.sources", + "packages.sury.org": "sury.sources", + "repo.mongodb.org": "mongodb.sources", + "apt.newrelic.com": "newrelic.sources", + "deb.nodesource.com": "nodesource.sources", + "dl.yarnpkg.com": "yarn.sources", + "apt.postgresql.org": "postgresql.sources", + "packages.microsoft.com/repos/vscode": "microsoft-vscode.sources", + "packages.microsoft.com/repos/ms-teams": "microsoft-teams.sources", + "updates.signal.org": "signal.sources", + "downloads.1password.com/linux/debian": "1password.sources", + "download.virtualbox.org": "virtualbox.sources" +} -if not os.access(src_file, os.R_OK): - print(src_file, "is not readable", file=sys.stderr) - sys.exit(2) - -pattern = re.compile('^(?Pdeb|deb-src) +(?P\[.+\] ?)*(?P\w+:\/\/\S+) +(?P\S+)(?: +(?P.*))?$') - -sources = {} +sources_parts = apt_pkg.config.find_dir('Dir::Etc::sourceparts') def split_options(raw): table = str.maketrans({ @@ -27,25 +43,44 @@ def split_options(raw): return options -with open(src_file,'r') as file: - for line in file: - matches = re.match(pattern, line) - if matches is not None: - # print(matches.groupdict()) - uri = matches['uri'] +def auto_destination(uri): + basename = uri + basename = re.sub('\[[^\]]+\]', '', basename) + basename = re.sub('\w+://', '', basename) + basename = '_'.join(re.sub('[^a-zA-Z0-9]', ' ', basename).split()) + return '%s.sources' % basename + +def destination(matches): + for search_str in destinations.keys(): + search_pattern = re.compile(f'{search_str}(/|\s|$)') + if re.search(search_pattern, matches['uri']) or re.search(search_pattern, matches["suite"]): + return destinations[search_str] + # fallback if nothing matches + return auto_destination(matches['uri']) + +def prepare_sources(lines): + sources = {} + pattern = re.compile('^(?: *(?Pdeb|deb-src)) +(?P\[.+\] ?)*(?P\w+:\/\/\S+) +(?P\S+)(?: +(?P.*))?$') + + for line in lines: + matches = re.match(pattern, line) + + if matches is not None: + dest = destination(matches) options = {} + if matches.group('options'): for option in split_options(matches['options']): if "=" in option: key, value = option.split("=") options[key] = value - if uri in sources: - sources[uri]["Types"].add(matches["type"]) - sources[uri]["URIs"] = matches["uri"] - sources[uri]["Suites"].add(matches["suite"]) - sources[uri]["Components"].update(matches["components"].split(' ')) + if dest in sources: + sources[dest]["Types"].add(matches["type"]) + sources[dest]["URIs"] = matches["uri"] + sources[dest]["Suites"].add(matches["suite"]) + sources[dest]["Components"].update(matches["components"].split(' ')) else: source = { "Types": {matches['type']}, @@ -83,14 +118,35 @@ with open(src_file,'r') as file: else: source["Targets"] = {options["target"]} - sources[uri] = source + sources[dest] = source + return sources -for i, (uri, source) in enumerate(sources.items()): - if i > 0: - print("") - for key, value in source.items(): - if isinstance(value, str): - print("{}: {}".format(key, value) ) - else: - print("{}: {}".format(key, ' '.join(value)) ) - i += 1 \ No newline at end of file +def save_sources(sources, output_dir): + # print(output_dir) + # print(sources) + for dest, source in sources.items(): + source_path = output_dir + dest + + with open(source_path, 'w') as file: + for key, value in source.items(): + if isinstance(value, str): + file.write("{}: {}\n".format(key, value)) + else: + file.write("{}: {}\n".format(key, ' '.join(value))) + +def main(): + if select.select([sys.stdin, ], [], [], 0.0)[0]: + sources = prepare_sources(sys.stdin) + # elif len(sys.argv) > 1: + # sources = prepare_sources([sys.argv[1]]) + else: + print("You must provide source lines to stdin", file=sys.stderr) + sys.exit(1) + + output_dir = apt_pkg.config.find_dir('Dir::Etc::sourceparts') + save_sources(sources, output_dir) + +if __name__ == "__main__": + main() + +sys.exit(0) \ No newline at end of file diff --git a/apt/files/deb822-migration.sh b/apt/files/deb822-migration.sh old mode 100644 new mode 100755 index 4e4a4dbc..10fb7889 --- a/apt/files/deb822-migration.sh +++ b/apt/files/deb822-migration.sh @@ -10,39 +10,40 @@ if [ ! -x "${deb822_migrate_script}" ]; then exit 1 fi -dest_dir="/etc/apt/sources.list.d" -rc=0 - -migrate_file() { - legacy_file=$1 - deb822_file=$2 - - if [ -f "${legacy_file}" ]; then - if [ -f "${deb822_file}" ]; then - >&2 echo "ERROR: '${deb822_file}' already exists" - rc=2 - else - ${deb822_migrate_script} "${legacy_file}" > "${deb822_file}" - if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then - mv "${legacy_file}" "${legacy_file}.bak" - echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak" - else - >&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'" - rc=2 - fi - fi - else - >&2 echo "ERROR: '${legacy_file}' not found" - rc=2 - fi +sources_from_file() { + grep --extended-regexp "^\s*(deb|deb-src) " $1 } -migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources" +rc=0 +count=0 -# shellcheck disable=SC2044 -for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do - deb822_file=$(basename "${legacy_file}" .list) - migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources" +if [ -f /etc/apt/sources.list ]; then + sources_from_file /etc/apt/sources.list | ${deb822_migrate_script} + python_rc=$? + + if [ ${python_rc} -eq 0 ]; then + mv /etc/apt/sources.list /etc/apt/sources.list.bak + echo "OK: /etc/apt/sources.list" + count=$(( count + 1 )) + else + >&2 echo "ERROR: failed migration for /etc/apt/sources.list" + rc=1 + fi +fi + +for file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do + sources_from_file "${file}" | ${deb822_migrate_script} + python_rc=$? + + if [ ${python_rc} -eq 0 ]; then + mv "${file}" "${file}.bak" + echo "OK: ${file}" + count=$(( count + 1 )) + else + >&2 echo "ERROR: failed migration for ${file}" + rc=1 + fi done +echo "${count} file(s) migrated" exit ${rc} \ No newline at end of file diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml new file mode 100644 index 00000000..8e196cc0 --- /dev/null +++ b/apt/tasks/backports.deb822.yml @@ -0,0 +1,35 @@ +--- +- name: No backports config in default sources.list + lineinfile: + dest: /etc/apt/sources.list.d/ + regexp: "backports" + state: absent + tags: + - apt + +- name: Backports sources list is installed + template: + src: '{{ ansible_distribution_release }}_backports.sources.j2' + dest: /etc/apt/sources.list.d/backports.sources + force: yes + mode: "0640" + register: apt_backports_sources + tags: + - apt + +- name: Backports configuration + copy: + src: '{{ ansible_distribution_release }}_backports_preferences' + dest: /etc/apt/preferences.d/0-backports-defaults + force: yes + mode: "0640" + register: apt_backports_config + tags: + - apt + +- name: Apt update + apt: + update_cache: yes + when: apt_backports_sources is changed or apt_backports_config is changed + tags: + - apt diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.oneline.yml similarity index 100% rename from apt/tasks/backports.yml rename to apt/tasks/backports.oneline.yml index aecf6194..7f6509b0 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.oneline.yml @@ -33,13 +33,13 @@ line: 'Acquire::Check-Valid-Until no;' create: yes state: present - when: ansible_distribution_release == "jessie" tags: - apt + when: ansible_distribution_release == "jessie" - name: Apt update apt: update_cache: yes - when: apt_backports_list is changed or apt_backports_config is changed tags: - apt + when: apt_backports_list is changed or apt_backports_config is changed diff --git a/apt/tasks/basics.deb822.yml b/apt/tasks/basics.deb822.yml new file mode 100644 index 00000000..0a342e61 --- /dev/null +++ b/apt/tasks/basics.deb822.yml @@ -0,0 +1,28 @@ +--- + +- name: Change basics repositories + template: + src: "{{ ansible_distribution_release }}_basics.sources.j2" + dest: /etc/apt/sources.list.d/system.sources + mode: "0644" + force: yes + register: apt_basic_sources + tags: + - apt + +- name: Change security repositories + template: + src: "{{ ansible_distribution_release }}_security.sources.j2" + dest: /etc/apt/sources.list.d/security.sources + mode: "0644" + force: yes + register: apt_security_sources + tags: + - apt + +- name: Apt update + apt: + update_cache: yes + tags: + - apt + when: apt_basic_list is changed or apt_security_sources is changed diff --git a/apt/tasks/basics.oneline.yml b/apt/tasks/basics.oneline.yml new file mode 100644 index 00000000..8e0a562c --- /dev/null +++ b/apt/tasks/basics.oneline.yml @@ -0,0 +1,18 @@ +--- + +- name: Change basics repositories + template: + src: "{{ ansible_distribution_release }}_basics.list.j2" + dest: /etc/apt/sources.list + mode: "0644" + force: yes + register: apt_basic_list + tags: + - apt + +- name: Apt update + apt: + update_cache: yes + tags: + - apt + when: apt_basic_list is changed diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml deleted file mode 100644 index 33c79129..00000000 --- a/apt/tasks/basics.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: Change basics repositories - template: - src: "{{ ansible_distribution_release }}_basics.list.j2" - dest: /etc/apt/sources.list - mode: "0644" - force: yes - register: apt_basic_list - tags: - - apt - -- name: Clean GANDI sources.list.d/debian-security.list - file: - path: '{{ item }}' - state: absent - loop: - - /etc/apt/sources.list.d/debian-security.list - - /etc/apt/sources.list.d/debian-jessie.list - - /etc/apt/sources.list.d/debian-stretch.list - - /etc/apt/sources.list.d/debian-buster.list - - /etc/apt/sources.list.d/debian-bullseye.list - - /etc/apt/sources.list.d/debian-update.list - when: apt_clean_gandi_sourceslist | bool - tags: - - apt - -- name: Apt update - apt: - update_cache: yes - when: apt_basic_list is changed - tags: - - apt diff --git a/apt/tasks/evolix_public.deb822.yml b/apt/tasks/evolix_public.deb822.yml new file mode 100644 index 00000000..a98a9983 --- /dev/null +++ b/apt/tasks/evolix_public.deb822.yml @@ -0,0 +1,45 @@ +--- + +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - apt + +- name: Evolix embedded GPG key is absent + apt_key: + id: "B8612B5D" + keyring: /etc/apt/trusted.gpg + state: absent + tags: + - apt + when: _trusted_gpg_keyring.stat.exists + +- name: Add Evolix GPG key + copy: + src: pub_evolix.asc + dest: "{{ apt_keyring_dir }}/pub_evolix.asc" + force: yes + mode: "0644" + owner: root + group: root + tags: + - apt + +- name: Evolix public list is installed + template: + src: evolix_public.sources.j2 + dest: /etc/apt/sources.list.d/evolix_public.sources + force: yes + mode: "0640" + register: apt_evolix_public + tags: + - apt + +- name: Apt update + apt: + update_cache: yes + tags: + - apt + when: apt_evolix_public is changed diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.oneline.yml similarity index 100% rename from apt/tasks/evolix_public.yml rename to apt/tasks/evolix_public.oneline.yml index 8c4d5216..e3ca833e 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.oneline.yml @@ -12,9 +12,9 @@ id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent - when: _trusted_gpg_keyring.stat.exists tags: - apt + when: _trusted_gpg_keyring.stat.exists - name: Add Evolix GPG key copy: @@ -40,6 +40,6 @@ - name: Apt update apt: update_cache: yes - when: apt_evolix_public is changed tags: - apt + when: apt_evolix_public is changed diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 10f5b358..2b3b815f 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -97,6 +97,6 @@ day: "{{ apt_check_hold_cron_day }}" month: "{{ apt_check_hold_cron_month }}" state: "present" - when: is_cron.rc == 0 tags: - apt + when: is_cron.rc == 0 diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 353dca36..3459b1b5 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -1,10 +1,26 @@ --- - name: "Compatibility check" - fail: - msg: only compatible with Debian >= 8 - when: - - ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<') + assert: + that: + - ansible_distribution = "Debian" + - ansible_distribution_major_version is version('8', '>=') + msg: Only compatible with Debian >= 8 + tags: + - apt + +- name: "apt-transport-https is installed for https repositories (before Buster)" + apt: + name: + - apt-transport-https + tags: + - apt + when: ansible_distribution_major_version is version('10', '<') + +- name: "certificates are installed to https repositories" + apt: + name: + - ca-certificates tags: - apt @@ -14,23 +30,71 @@ tags: - apt -- name: Install basics repositories - include: basics.yml - when: apt_install_basics | bool +- name: Install basics repositories (Debian <12) + include: basics.debian-lt-12.yml tags: - apt + when: + - apt_install_basics | bool + - ansible_distribution_major_version is version('12', '<') -- name: Install APT Backports repository - include: backports.yml - when: apt_install_backports | bool +- name: Install basics repositories (Debian >=12) + include: basics.debian-ge-12.yml tags: - apt + when: + - apt_install_basics | bool + - ansible_distribution_major_version is version('12', '>=') -- name: Install Evolix Public APT repository - include: evolix_public.yml - when: apt_install_evolix_public | bool + +- name: Install backports repositories (Debian <12) + include: backports.debian-lt-12.yml tags: - apt + when: + - apt_install_backports | bool + - ansible_distribution_major_version is version('12', '<') + +- name: Install backports repositories (Debian >=12) + include: backports.debian-ge-12.yml + tags: + - apt + when: + - apt_install_backports | bool + - ansible_distribution_major_version is version('12', '>=') + + +- name: Install Evolix Public repositories (Debian <12) + include: evolix_public.debian-lt-12.yml + tags: + - apt + when: + - apt_install_evolix_public | bool + - ansible_distribution_major_version is version('12', '<') + +- name: Install Evolix Public repositories (Debian >=12) + include: evolix_public.debian-ge-12.yml + tags: + - apt + when: + - apt_install_evolix_public | bool + - ansible_distribution_major_version is version('12', '>=') + +- name: Clean GANDI sources + file: + path: '{{ item }}' + state: absent + loop: + - /etc/apt/sources.list.d/debian-security.list + - /etc/apt/sources.list.d/debian-jessie.list + - /etc/apt/sources.list.d/debian-stretch.list + - /etc/apt/sources.list.d/debian-buster.list + - /etc/apt/sources.list.d/debian-bullseye.list + - /etc/apt/sources.list.d/debian-update.list + tags: + - apt + when: apt_clean_gandi_sourceslist | bool + - name: Install check for packages marked hold include: hold_packages.yml diff --git a/apt/templates/bookworm_backports.sources.j2 b/apt/templates/bookworm_backports.sources.j2 new file mode 100644 index 00000000..20a505a3 --- /dev/null +++ b/apt/templates/bookworm_backports.sources.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://mirror.evolix.org/debian +Suites: bullseye-backports +Components: {{ apt_backports_components | mandatory }} +Enabled: yes diff --git a/apt/templates/bookworm_basics.list.j2 b/apt/templates/bookworm_basics.list.j2 deleted file mode 100644 index 1c6bc15b..00000000 --- a/apt/templates/bookworm_basics.list.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -deb http://mirror.evolix.org/debian bookworm {{ apt_basics_components | mandatory }} -deb http://mirror.evolix.org/debian/ bookworm-updates {{ apt_basics_components | mandatory }} -deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }} diff --git a/apt/templates/bookworm_basics.sources.j2 b/apt/templates/bookworm_basics.sources.j2 new file mode 100644 index 00000000..fbc3034a --- /dev/null +++ b/apt/templates/bookworm_basics.sources.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://mirror.evolix.org/debian +Suites: bookworm bookworm-updates +Components: {{ apt_basics_components | mandatory }} +Enabled: yes + +deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }} diff --git a/apt/templates/bookworm_security.sources.j2 b/apt/templates/bookworm_security.sources.j2 new file mode 100644 index 00000000..0b0e4190 --- /dev/null +++ b/apt/templates/bookworm_security.sources.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://security.debian.org/debian-security +Suites: bookworm-security +Components: {{ apt_basics_components | mandatory }} +Enabled: yes \ No newline at end of file From 9358efedfed30d67df390fd4a224c4a2e3b2b538 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 17 Mar 2023 22:32:11 +0100 Subject: [PATCH 03/45] apt: fix many stupid mistakes --- apt/tasks/basics.deb822.yml | 16 ++++++++++++++++ apt/tasks/config.yml | 6 +++--- apt/tasks/main.yml | 20 ++++++++++---------- apt/templates/bookworm_backports.sources.j2 | 2 +- apt/templates/bookworm_basics.sources.j2 | 6 ++---- apt/templates/evolix_public.sources.j2 | 8 ++++++++ 6 files changed, 40 insertions(+), 18 deletions(-) create mode 100644 apt/templates/evolix_public.sources.j2 diff --git a/apt/tasks/basics.deb822.yml b/apt/tasks/basics.deb822.yml index 0a342e61..b99a8af4 100644 --- a/apt/tasks/basics.deb822.yml +++ b/apt/tasks/basics.deb822.yml @@ -20,6 +20,22 @@ tags: - apt +- name: Find one-line APT sources + ansible.builtin.find: + paths: /etc/apt + patterns: '*.list' + register: list_files + +- name: Disable one-line-formatted sources + command: "mv --verbose {{ item.path }} {{ item.path }}.bak" + environment: + LC_ALL: C + loop: "{{ list_files.files }}" + register: rename_cmd + changed_when: "'renamed' in rename_cmd.stdout" + tags: + - apt + - name: Apt update apt: update_cache: yes diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 7befa375..62155623 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -12,9 +12,9 @@ - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } - { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' } - when: apt_evolinux_config | bool tags: - apt + when: apt_evolinux_config | bool - name: DPkg invoke hooks lineinfile: @@ -28,14 +28,14 @@ - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" - when: apt_hooks | bool tags: - apt + when: apt_hooks | bool - name: Remove Aptitude apt: name: aptitude state: absent - when: apt_remove_aptitude | bool tags: - apt + when: apt_remove_aptitude | bool diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 3459b1b5..b72acb63 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -3,7 +3,7 @@ - name: "Compatibility check" assert: that: - - ansible_distribution = "Debian" + - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') msg: Only compatible with Debian >= 8 tags: @@ -17,7 +17,7 @@ - apt when: ansible_distribution_major_version is version('10', '<') -- name: "certificates are installed to https repositories" +- name: "certificates are installed for https repositories" apt: name: - ca-certificates @@ -25,13 +25,13 @@ - apt - name: Custom configuration - include: config.yml + import_tasks: config.yml when: apt_config | bool tags: - apt - name: Install basics repositories (Debian <12) - include: basics.debian-lt-12.yml + import_tasks: basics.oneline.yml tags: - apt when: @@ -39,7 +39,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install basics repositories (Debian >=12) - include: basics.debian-ge-12.yml + import_tasks: basics.deb822.yml tags: - apt when: @@ -48,7 +48,7 @@ - name: Install backports repositories (Debian <12) - include: backports.debian-lt-12.yml + import_tasks: backports.oneline.yml tags: - apt when: @@ -56,7 +56,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install backports repositories (Debian >=12) - include: backports.debian-ge-12.yml + import_tasks: backports.deb822.yml tags: - apt when: @@ -65,7 +65,7 @@ - name: Install Evolix Public repositories (Debian <12) - include: evolix_public.debian-lt-12.yml + import_tasks: evolix_public.oneline.yml tags: - apt when: @@ -73,7 +73,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install Evolix Public repositories (Debian >=12) - include: evolix_public.debian-ge-12.yml + import_tasks: evolix_public.deb822.yml tags: - apt when: @@ -97,7 +97,7 @@ - name: Install check for packages marked hold - include: hold_packages.yml + import_tasks: hold_packages.yml when: apt_install_hold_packages | bool tags: - apt diff --git a/apt/templates/bookworm_backports.sources.j2 b/apt/templates/bookworm_backports.sources.j2 index 20a505a3..5b1b99d1 100644 --- a/apt/templates/bookworm_backports.sources.j2 +++ b/apt/templates/bookworm_backports.sources.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} Types: deb -URIs: https://mirror.evolix.org/debian +URIs: http://mirror.evolix.org/debian Suites: bullseye-backports Components: {{ apt_backports_components | mandatory }} Enabled: yes diff --git a/apt/templates/bookworm_basics.sources.j2 b/apt/templates/bookworm_basics.sources.j2 index fbc3034a..247d7ec3 100644 --- a/apt/templates/bookworm_basics.sources.j2 +++ b/apt/templates/bookworm_basics.sources.j2 @@ -1,9 +1,7 @@ # {{ ansible_managed }} Types: deb -URIs: https://mirror.evolix.org/debian +URIs: http://mirror.evolix.org/debian Suites: bookworm bookworm-updates Components: {{ apt_basics_components | mandatory }} -Enabled: yes - -deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }} +Enabled: yes \ No newline at end of file diff --git a/apt/templates/evolix_public.sources.j2 b/apt/templates/evolix_public.sources.j2 new file mode 100644 index 00000000..defd1282 --- /dev/null +++ b/apt/templates/evolix_public.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types:deb +URIs: http://pub.evolix.org/evolix +Suites: {{ ansible_distribution_release }} +Components: main +Signed-by: {{ apt_keyring_dir }}/pub_evolix.asc +Enabled: yes From 512b06a51300c2a193f8c5cc9cde0aee71f837e3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 17 Mar 2023 22:32:31 +0100 Subject: [PATCH 04/45] bookworm-detect: detect also from description --- bookworm-detect/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bookworm-detect/tasks/main.yml b/bookworm-detect/tasks/main.yml index 47dfd623..be11177e 100644 --- a/bookworm-detect/tasks/main.yml +++ b/bookworm-detect/tasks/main.yml @@ -8,4 +8,4 @@ ansible_distribution_major_version: 12 ansible_distribution: "Debian" ansible_distribution_release: "bookworm" - when: "ansible_lsb.codename == 'bookworm'" \ No newline at end of file + when: "'bookworm' in ansible_lsb.codename or 'bookworm' in ansible_lsb.description" \ No newline at end of file From 6f61a0744c82e587248cb4d391217f2b98660906 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 15:38:05 +0100 Subject: [PATCH 05/45] apt: with Debian, 12 backports are installed but disabled by default --- CHANGELOG.md | 2 ++ apt/defaults/main.yml | 2 ++ apt/files/bookworm_backports_preferences | 3 +++ apt/tasks/backports.deb822.yml | 9 +-------- apt/tasks/main.yml | 4 ++-- apt/templates/bookworm_backports.sources.j2 | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 apt/files/bookworm_backports_preferences diff --git a/CHANGELOG.md b/CHANGELOG.md index edb6c431..fafbe518 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* apt: with Debian 12, backports are installed but disabled by default + ### Fixed ### Removed diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index 681f1d14..3720d893 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -8,6 +8,8 @@ apt_upgrade: False apt_install_basics: True apt_basics_components: "main" +# With Debian 12+ and the deb822 format of source files +# backports are always installed but enabled according to `apt_install_backports` apt_install_backports: False apt_backports_components: "main" diff --git a/apt/files/bookworm_backports_preferences b/apt/files/bookworm_backports_preferences new file mode 100644 index 00000000..eaf76d52 --- /dev/null +++ b/apt/files/bookworm_backports_preferences @@ -0,0 +1,3 @@ +Package: * +Pin: release a=bookworm-backports +Pin-Priority: 50 diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml index 8e196cc0..633b9266 100644 --- a/apt/tasks/backports.deb822.yml +++ b/apt/tasks/backports.deb822.yml @@ -1,13 +1,6 @@ --- -- name: No backports config in default sources.list - lineinfile: - dest: /etc/apt/sources.list.d/ - regexp: "backports" - state: absent - tags: - - apt -- name: Backports sources list is installed +- name: Backports deb822 sources list is installed template: src: '{{ ansible_distribution_release }}_backports.sources.j2' dest: /etc/apt/sources.list.d/backports.sources diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index b72acb63..104756d2 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -46,7 +46,6 @@ - apt_install_basics | bool - ansible_distribution_major_version is version('12', '>=') - - name: Install backports repositories (Debian <12) import_tasks: backports.oneline.yml tags: @@ -55,12 +54,13 @@ - apt_install_backports | bool - ansible_distribution_major_version is version('12', '<') +# With Debian 12+ and the deb822 format of source files +# backports are always installed but enabled according to `apt_install_backports` - name: Install backports repositories (Debian >=12) import_tasks: backports.deb822.yml tags: - apt when: - - apt_install_backports | bool - ansible_distribution_major_version is version('12', '>=') diff --git a/apt/templates/bookworm_backports.sources.j2 b/apt/templates/bookworm_backports.sources.j2 index 5b1b99d1..31ac2f3b 100644 --- a/apt/templates/bookworm_backports.sources.j2 +++ b/apt/templates/bookworm_backports.sources.j2 @@ -4,4 +4,4 @@ Types: deb URIs: http://mirror.evolix.org/debian Suites: bullseye-backports Components: {{ apt_backports_components | mandatory }} -Enabled: yes +Enabled: {{ apt_install_backports | bool | ternary('yes', 'no') }} From 8f25dfe041af6fe8a7d0cdcbc37a809791aec93b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 18:35:54 +0100 Subject: [PATCH 06/45] evolinux-base: syntax --- evolinux-base/tasks/default_www.yml | 16 ++++--- evolinux-base/tasks/dump-server-state.yml | 4 +- evolinux-base/tasks/etc-evolinux.yml | 2 +- evolinux-base/tasks/fstab.yml | 39 ++++++++-------- evolinux-base/tasks/hostname.yml | 22 ++++----- evolinux-base/tasks/kernel.yml | 18 ++++---- evolinux-base/tasks/log2mail.yml | 8 ++-- evolinux-base/tasks/logs.yml | 19 ++++---- evolinux-base/tasks/main.yml | 38 ++++++++-------- evolinux-base/tasks/motd.yml | 2 +- evolinux-base/tasks/packages.yml | 30 ++++++------- evolinux-base/tasks/postfix.yml | 32 ++++++------- evolinux-base/tasks/provider_online.yml | 6 +-- evolinux-base/tasks/provider_orange_fce.yml | 6 +-- evolinux-base/tasks/provider_vmware.yml | 5 ++- evolinux-base/tasks/root.yml | 34 +++++++------- evolinux-base/tasks/system.yml | 50 ++++++++++----------- evolinux-base/tasks/utils.yml | 19 +++----- 18 files changed, 175 insertions(+), 175 deletions(-) diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 84580b54..2d94fe2b 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -1,13 +1,13 @@ --- - name: /var/www is present - file: + ansible.builtin.file: path: /var/www state: directory mode: "0755" when: evolinux_default_www_files | bool - name: images are copied - copy: + ansible.builtin.copy: src: default_www/img dest: /var/www/ mode: "0644" @@ -16,7 +16,7 @@ when: evolinux_default_www_files | bool - name: index is copied - template: + ansible.builtin.template: src: default_www/index.html.j2 dest: /var/www/index.html mode: "0644" @@ -28,21 +28,23 @@ - name: Default certificate is present block: - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}" + ansible.builtin.command: + cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}" args: creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" - name: Adjust rights on private key - file: + ansible.builtin.file: path: /etc/ssl/private/{{ ansible_fqdn }}.key owner: root group: ssl-cert mode: "0640" - name: Create certificate for default site - command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt + ansible.builtin.command: + cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt args: creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" when: evolinux_default_www_ssl_cert | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/dump-server-state.yml b/evolinux-base/tasks/dump-server-state.yml index 7d4a55cd..33822377 100644 --- a/evolinux-base/tasks/dump-server-state.yml +++ b/evolinux-base/tasks/dump-server-state.yml @@ -1,5 +1,5 @@ - name: dump-server-state script is present - copy: + ansible.builtin.copy: src: "dump-server-state.sh" dest: /usr/local/sbin/dump-server-state force: True @@ -8,7 +8,7 @@ mode: "0750" - name: symlink backup-server-state to dump-server-state - file: + ansible.builtin.file: src: /usr/local/sbin/dump-server-state dest: /usr/local/sbin/backup-server-state state: link diff --git a/evolinux-base/tasks/etc-evolinux.yml b/evolinux-base/tasks/etc-evolinux.yml index 56b0a976..e8ceb996 100644 --- a/evolinux-base/tasks/etc-evolinux.yml +++ b/evolinux-base/tasks/etc-evolinux.yml @@ -2,7 +2,7 @@ ### This is taken care of by the evolinux-todo role # - name: /etc/evolinux exists -# file: +# ansible.builtin.file: # dest: /etc/evolinux # owner: root # group: root diff --git a/evolinux-base/tasks/fstab.yml b/evolinux-base/tasks/fstab.yml index a3933844..a99ba692 100644 --- a/evolinux-base/tasks/fstab.yml +++ b/evolinux-base/tasks/fstab.yml @@ -4,69 +4,70 @@ # TODO: try to use the custom mount_uuid module for a different approach - name: Fetch fstab content - command: "grep -v '^#' /etc/fstab" + ansible.builtin.command: + cmd: "grep -v '^#' /etc/fstab" check_mode: no register: fstab_content failed_when: False changed_when: False - name: /home partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3' notify: remount /home when: - - fstab_content.stdout | regex_search('\s/home\s') - - evolinux_fstab_home | bool + - fstab_content.stdout | regex_search('\s/home\s') + - evolinux_fstab_home | bool - name: /tmp partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3' when: - - fstab_content.stdout | regex_search('\s/tmp\s') - - evolinux_fstab_tmp | bool + - fstab_content.stdout | regex_search('\s/tmp\s') + - evolinux_fstab_tmp | bool - name: /usr partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3' when: - - fstab_content.stdout | regex_search('\s/usr\s') - - evolinux_fstab_usr | bool + - fstab_content.stdout | regex_search('\s/usr\s') + - evolinux_fstab_usr | bool - name: /var partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3' notify: remount /var when: - - fstab_content.stdout | regex_search('\s/var\s') - - evolinux_fstab_var | bool + - fstab_content.stdout | regex_search('\s/var\s') + - evolinux_fstab_var | bool - name: /var/tmp is created - mount: + ansible.posix.mount: src: tmpfs name: /var/tmp fstype: tmpfs opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}" state: mounted when: - - evolinux_fstab_var_tmp | bool + - evolinux_fstab_var_tmp | bool - name: /dev/shm is created (Debian 10 and later) - mount: + ansible.posix.mount: src: tmpfs name: /dev/shm fstype: tmpfs opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}" state: mounted when: - - evolinux_fstab_dev_shm | bool - - ansible_distribution_major_version is version('10', '>=') + - evolinux_fstab_dev_shm | bool + - ansible_distribution_major_version is version('10', '>=') -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index ec3f99d1..b283a51e 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -1,29 +1,29 @@ --- - name: dbus is installed - apt: + ansible.builtin.apt: name: dbus state: present - name: dbus is enabled and started - service: + ansible.builtin.systemd: name: dbus state: started enabled: true - name: Set hostname "{{ evolinux_hostname }}" - hostname: + ansible.builtin.hostname: name: "{{ evolinux_hostname }}" when: evolinux_hostname_hosts | bool - name: Set right localhost line in /etc/hosts - replace: + ansible.builtin.replace: dest: /etc/hosts regexp: '^127.0.0.1(\s+)localhost.*$' replace: '127.0.0.1\1localhost.localdomain localhost' when: evolinux_hostname_hosts | bool - name: Set ip+fqdn+hostname in /etc/hosts - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts regexp: '^{{ ansible_default_ipv4.address }}\s+' line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}" @@ -31,14 +31,14 @@ when: evolinux_hostname_hosts | bool - name: 127.0.1.1 is removed - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts regexp: '^127.0.1.1\s+' state: absent when: evolinux_hostname_hosts | bool - name: /etc/mailname is up-to-date - copy: + ansible.builtin.copy: dest: /etc/mailname content: "{{ evolinux_fqdn }}\n" force: yes @@ -47,18 +47,18 @@ # Override facts - name: Override ansible_hostname fact - set_fact: + ansible.builtin.set_fact: ansible_hostname: "{{ evolinux_hostname }}" when: ansible_hostname != evolinux_hostname - name: Override ansible_domain fact - set_fact: + ansible.builtin.set_fact: ansible_domain: "{{ evolinux_domain }}" when: ansible_domain != evolinux_domain - name: Override ansible_fqdn fact - set_fact: + ansible.builtin.set_fact: ansible_fqdn: "{{ evolinux_fqdn }}" when: ansible_fqdn != evolinux_fqdn -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index 62569b08..da3abf57 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -1,7 +1,7 @@ --- - name: "Use Cloud kernel on virtual servers" - apt: + ansible.builtin.apt: name: "linux-image-cloud-amd64" state: present when: @@ -10,7 +10,7 @@ - evolinux_kernel_cloud_auto | bool - name: "Remove non-Cloud kernel on virtual servers" - apt: + ansible.builtin.apt: name: "linux-image-amd64" state: absent when: @@ -19,7 +19,7 @@ - evolinux_kernel_cloud_auto | bool - name: Reboot after panic - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -31,7 +31,7 @@ when: evolinux_kernel_reboot_after_panic | bool - name: Don't reboot after panic - sysctl: + ansible.posix.sysctl: name: "{{ item }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: absent @@ -42,7 +42,7 @@ when: not evolinux_kernel_reboot_after_panic | bool - name: Disable net.ipv4.tcp_timestamps - sysctl: + ansible.posix.sysctl: name: net.ipv4.tcp_timestamps value: '0' sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -51,7 +51,7 @@ when: evolinux_kernel_disable_tcp_timestamps | bool - name: Customize the swappiness - sysctl: + ansible.posix.sysctl: name: vm.swappiness value: "{{ evolinux_kernel_swappiness }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -60,7 +60,7 @@ when: evolinux_kernel_customize_swappiness | bool - name: Patch for TCP stack vulnerability CVE-2016-5696 - sysctl: + ansible.posix.sysctl: name: net.ipv4.tcp_challenge_ack_limit value: "1073741823" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -69,7 +69,7 @@ when: evolinux_kernel_cve20165696 | bool - name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack) - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -81,4 +81,4 @@ - { name: "net.ipv4.ipfrag_high_thresh", value: "262144" } - { name: "net.ipv6.ip6frag_high_thresh", value: "262144" } -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 35ce19cf..9a1f3314 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -1,24 +1,24 @@ --- - name: Deploy log2mail systemd unit - copy: + ansible.builtin.copy: src: log2mail.service dest: /etc/systemd/system/log2mail.service mode: "0644" - name: Remove log2mail sysvinit service - file: + ansible.builtin.file: path: /etc/init.d/log2mail state: absent - name: Enable and start log2mail service - systemd: + ansible.builtin.systemd: name: log2mail daemon-reload: yes state: started enabled: yes - name: log2mail config is present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/log2mail/config/default owner: log2mail group: adm diff --git a/evolinux-base/tasks/logs.yml b/evolinux-base/tasks/logs.yml index 8298486e..a6dd97ad 100644 --- a/evolinux-base/tasks/logs.yml +++ b/evolinux-base/tasks/logs.yml @@ -3,7 +3,7 @@ # TODO: voir comment faire des backups initiaux des fichiers - name: Copy rsyslog.conf - copy: + ansible.builtin.copy: src: logs/rsyslog.conf dest: /etc/rsyslog.conf mode: "0644" @@ -11,7 +11,8 @@ when: evolinux_logs_rsyslog_conf | bool - name: Disable logrotate default conf - command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled + ansible.builtin.command: + cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled args: removes: /etc/logrotate.d/rsyslog creates: /etc/logrotate.d/rsyslog.disabled @@ -19,33 +20,33 @@ when: evolinux_logs_disable_logrotate_rsyslog | bool - name: Copy many logrotate files - copy: + ansible.builtin.copy: src: logs/logrotate.d/ dest: /etc/logrotate.d/ when: evolinux_logs_logrotate_confs | bool - name: Copy rsyslog logrotate file - template: + ansible.builtin.template: src: logs/zsyslog.j2 dest: /etc/logrotate.d/zsyslog when: evolinux_logs_logrotate_confs | bool - name: Configure logrotate.conf default rotate value - replace: + ansible.builtin.replace: dest: /etc/logrotate.conf regexp: "rotate [0-9]+" replace: "rotate 12" when: evolinux_logs_default_rotate | bool - name: Enable logrotate.conf dateext option - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.conf line: "dateext" regexp: "^#?\\s*dateext" when: evolinux_logs_default_dateext | bool - name: Enable logrotate.conf dateformat option - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.conf line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}" regexp: "^#?\\s*dateformat.*" @@ -53,11 +54,11 @@ when: evolinux_logs_default_dateext | bool - name: Disable logrotate.conf dateyesterday option - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.conf line: "# dateyesterday" regexp: "^\\s*dateyesterday" insertafter: 'dateext' when: evolinux_logs_default_dateext | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index ecbfe069..29a77524 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -14,7 +14,7 @@ apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" apt_install_evolix_public: "{{ evolinux_apt_public_sources }}" apt_upgrade: "{{ evolinux_apt_upgrade }}" - apt_basics_components: "{{ 'main contrib non-free' if ansible_virtualization_role == 'host' else 'main' }}" + apt_basics_components: "{{ ansible_virtualization_role == 'host' | ternary('main contrib non-free', 'main') }}" when: evolinux_apt_include | bool - name: /etc versioning with Git @@ -23,27 +23,27 @@ when: evolinux_etcgit_include | bool - name: /etc/evolinux base - include: etc-evolinux.yml + import_tasks: etc-evolinux.yml when: evolinux_etcevolinux_include | bool - name: Hostname - include: hostname.yml + import_tasks: hostname.yml when: evolinux_hostname_include | bool - name: Kernel tuning - include: kernel.yml + import_tasks: kernel.yml when: evolinux_kernel_include | bool - name: Fstab configuration - include: fstab.yml + import_tasks: fstab.yml when: evolinux_fstab_include | bool - name: Packages - include: packages.yml + import_tasks: packages.yml when: evolinux_packages_include | bool - name: System settings - include: system.yml + import_tasks: system.yml when: evolinux_system_include | bool - name: Minifirewall @@ -67,41 +67,43 @@ # when: evolinux_users_include - name: Root user configuration - include: root.yml + import_tasks: root.yml when: evolinux_root_include | bool - name: Postfix - include: postfix.yml + import_tasks: postfix.yml when: evolinux_postfix_include | bool - name: Logs management - include: logs.yml + import_tasks: logs.yml when: evolinux_logs_include | bool - name: Default index page - include: default_www.yml + import_tasks: default_www.yml when: evolinux_default_www_include | bool - name: Hardware drivers and tools - include: hardware.yml - when: evolinux_hardware_include | bool + import_tasks: hardware.yml + when: + - evolinux_hardware_include | bool + - ansible_virtualization_role == "host" - name: Customize for Online.net - include: provider_online.yml + import_tasks: provider_online.yml when: evolinux_provider_online_include | bool - name: Customize for Orange FCE - include: provider_orange_fce.yml + import_tasks: provider_orange_fce.yml when: evolinux_provider_orange_fce_include | bool - name: Override Log2mail service - include: log2mail.yml + import_tasks: log2mail.yml when: evolinux_log2mail_include | bool -- include: motd.yml +- import_tasks: motd.yml when: evolinux_motd_include | bool -- include: utils.yml +- import_tasks: utils.yml when: evolinux_utils_include | bool - name: Munin diff --git a/evolinux-base/tasks/motd.yml b/evolinux-base/tasks/motd.yml index 70079463..0d0b7157 100644 --- a/evolinux-base/tasks/motd.yml +++ b/evolinux-base/tasks/motd.yml @@ -1,6 +1,6 @@ --- - name: Deploy custom motd - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/motd force: True diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 4c2249e3..f8af347a 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -1,7 +1,7 @@ --- - name: Install/Update system tools - apt: + ansible.builtin.apt: name: - locales - sudo @@ -20,7 +20,7 @@ when: evolinux_packages_system | bool - name: Install/Update diagnostic tools - apt: + ansible.builtin.apt: name: - strace - htop @@ -39,7 +39,7 @@ when: evolinux_packages_diagnostic | bool - name: Install/Update hardware tools - apt: + ansible.builtin.apt: name: - hdparm - smartmontools @@ -47,7 +47,7 @@ when: ansible_virtualization_role == "host" - name: Install/Update common tools - apt: + ansible.builtin.apt: name: - vim - screen @@ -62,21 +62,21 @@ when: evolinux_packages_common | bool - name: Be sure that openntpd package is absent/purged - apt: + ansible.builtin.apt: name: openntpd state: absent purge: True when: evolinux_packages_purge_openntpd | bool - name: the chrony package is absent - apt: + ansible.builtin.apt: name: chrony purge: True state: absent when: evolinux_packages_purge_chrony | bool - name: Be sure locate/mlocate is absent/purged - apt: + ansible.builtin.apt: name: - locate - mlocate @@ -85,20 +85,20 @@ when: evolinux_packages_purge_locate | bool - name: Install/Update serveur-base meta-package - apt: + ansible.builtin.apt: name: serveur-base allow_unauthenticated: yes when: evolinux_packages_serveur_base | bool - name: Install/Update packages for Stretch and later - apt: + ansible.builtin.apt: name: net-tools when: - evolinux_packages_stretch | bool - ansible_distribution_major_version is version('9', '>=') - name: Install/Update packages for Buster and later - apt: + ansible.builtin.apt: name: - spectre-meltdown-checker - binutils @@ -107,14 +107,14 @@ - ansible_distribution_major_version is version('10', '>=') - name: Customize logcheck recipient - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logcheck/logcheck.conf regexp: '^SENDMAILTO=".*"$' line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"' when: evolinux_packages_logcheck_recipient | bool - name: Deleting rpcbind and nfs-common - apt: + ansible.builtin.apt: name: - rpcbind - nfs-common @@ -125,7 +125,7 @@ # TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes) - name: Configure Listchanges on Jessie - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/listchanges.conf regexp: '^{{ item.option }}\s*=' line: "{{ item.option }}={{ item.value }}" @@ -138,7 +138,7 @@ - ansible_distribution_release == "jessie" - name: apt-listchanges is absent on Stretch and later - apt: + ansible.builtin.apt: name: apt-listchanges state: absent when: @@ -146,4 +146,4 @@ - ansible_distribution_major_version is version('9', '>=') - evolinux_packages_delete_aptlistchanges -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 6a46548b..1c5d986c 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -1,18 +1,18 @@ --- - name: Postfix packages are installed - apt: + ansible.builtin.apt: name: - postfix - mailgraph state: present - when: evolinux_postfix_packages | bool tags: - packages - postfix + when: evolinux_postfix_packages | bool - name: configure postfix myhostname - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/main.cf state: present line: "myhostname = {{ evolinux_fqdn }}" @@ -22,7 +22,7 @@ - postfix - name: configure postfix mynetworks - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/main.cf state: present line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost" @@ -32,8 +32,8 @@ - postfix - name: fetch users list - shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" executable: /bin/bash check_mode: no register: non_root_users_list @@ -42,18 +42,18 @@ - postfix - name: each user is aliased to root - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases regexp: "^{{ item }}:.*" line: "{{ item }}: root" loop: "{{ non_root_users_list.stdout_lines }}" notify: newaliases - when: evolinux_postfix_users_alias_root | bool tags: - postfix + when: evolinux_postfix_users_alias_root | bool - name: additional users address aliased to root - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases regexp: "^{{ item }}:.*" line: "{{ item }}: root" @@ -65,24 +65,24 @@ - error - bounce notify: newaliases - when: evolinux_postfix_mailer_alias_root | bool tags: - postfix + when: evolinux_postfix_mailer_alias_root | bool - name: root alias is configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases regexp: "^root:" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" notify: newaliases - when: evolinux_postfix_root_alias | bool tags: - postfix + when: evolinux_postfix_root_alias | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers - name: exim4 is absent - apt: + ansible.builtin.apt: name: - exim4 - exim4-base @@ -90,9 +90,9 @@ - exim4-daemon-light purge: yes state: absent - when: evolinux_postfix_purge_exim | bool tags: - packages - postfix + when: evolinux_postfix_purge_exim | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/provider_online.yml b/evolinux-base/tasks/provider_online.yml index 8174d15c..5696e504 100644 --- a/evolinux-base/tasks/provider_online.yml +++ b/evolinux-base/tasks/provider_online.yml @@ -1,8 +1,8 @@ -- debug: +- ansible.builtin.debug: msg: "Online DNS servers fails sometimes! Please change them in /etc/resolv.conf." - name: custom NTP server for Online servers - set_fact: + ansible.builtin.set_fact: nagios_nrpe_default_ntp_server: "ntp.online.net" -# - meta: flush_handlers +# - ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/provider_orange_fce.yml b/evolinux-base/tasks/provider_orange_fce.yml index 4b9a26c7..c861ccd1 100644 --- a/evolinux-base/tasks/provider_orange_fce.yml +++ b/evolinux-base/tasks/provider_orange_fce.yml @@ -1,5 +1,5 @@ - name: Customize kernel for Orange FCE - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/evolinux_fce.conf @@ -10,7 +10,7 @@ - { name: net.ipv4.tcp_keepalive_intvl, value: 60 } - { name: net.ipv6.conf.all.disable_ipv6, value: 1 } -- debug: +- ansible.builtin.debug: msg: "Orange DNS servers suck! Please change them in /etc/resolv.conf." -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/provider_vmware.yml b/evolinux-base/tasks/provider_vmware.yml index dbf93d0e..04daa219 100644 --- a/evolinux-base/tasks/provider_vmware.yml +++ b/evolinux-base/tasks/provider_vmware.yml @@ -1,6 +1,7 @@ --- - name: Check if the virtual machine on VMWare Host - shell: "dmidecode | grep -q 'VMware'" + ansible.builtin.shell: + cmd: "dmidecode | grep -q 'VMware'" check_mode: no register: vmware_provider failed_when: False @@ -9,7 +10,7 @@ - packages - name: OpenVM Tools are installed for vmware - apt: + ansible.builtin.apt: state: present name: open-vm-tools tags: diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 3e3d6add..3b17faf7 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -1,14 +1,14 @@ --- - name: chmod 700 /root - file: + ansible.builtin.file: path: /root state: directory mode: "0700" when: evolinux_root_chmod | bool - name: "Customize root's bashrc..." - lineinfile: + ansible.builtin.lineinfile: dest: /root/.bashrc line: "{{ item }}" create: yes @@ -24,34 +24,35 @@ ## .bash_history should be append-only - name: Create .bash_history if missing - copy: + ansible.builtin.copy: content: "" dest: "/root/.bash_history" force: no when: evolinux_root_bash_history | bool - name: Set umask in /root/.profile - lineinfile: + ansible.builtin.lineinfile: dest: "/root/.profile" line: "umask 0077" regexp: "umask [0-9]+" when: evolinux_root_umask | bool - name: "/usr/share/scripts is present in root's PATH" - lineinfile: + ansible.builtin.lineinfile: dest: "/root/.profile" line: "PATH=\"${PATH}:/usr/share/scripts\"" when: ansible_distribution_major_version is version('10', '>=') - name: Custom git config for root - copy: + ansible.builtin.copy: src: root/gitconfig dest: "/root/.gitconfig" force: no when: evolinux_root_gitconfig | bool - name: Is .bash_history append-only - shell: lsattr /root/.bash_history | grep -E "^.*a.* " + ansible.builtin.shell: + cmd: lsattr /root/.bash_history | grep -E "^.*a.* " check_mode: no register: bash_history_append_only failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr" @@ -59,14 +60,15 @@ changed_when: False - name: Set .bash_history append-only - command: chattr +a /root/.bash_history + ansible.builtin.command: + cmd: chattr +a /root/.bash_history when: - - evolinux_root_bash_history_appendonly | bool - - bash_history_append_only.rc != 0 - - "'Inappropriate ioctl' not in bash_history_append_only.stderr" + - evolinux_root_bash_history_appendonly | bool + - bash_history_append_only.rc != 0 + - "'Inappropriate ioctl' not in bash_history_append_only.stderr" - name: Setting vim as selected-editor - lineinfile: + ansible.builtin.lineinfile: dest: /root/.selected_editor regexp: '^SELECTED_EDITOR=' line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\"" @@ -74,7 +76,7 @@ when: evolinux_root_vim_default | bool - name: Setting vim root configuration - lineinfile: + ansible.builtin.lineinfile: dest: /root/.vimrc line: "{{ item }}" create: yes @@ -89,7 +91,7 @@ when: evolinux_root_vim_conf | bool - name: disable SSH access for root - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" @@ -99,7 +101,7 @@ ### Disabled : it seems useless and too dangerous for now # - name: remove root from AllowUsers directive -# replace: +# ansible.builtin.replace: # dest: /etc/ssh/sshd_config # regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' # replace: '\1\4' @@ -107,4 +109,4 @@ # notify: reload sshd # when: evolinux_root_disable_ssh -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 5d71e827..c6965e09 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -1,14 +1,14 @@ --- - name: /tmp must be world-writable - file: + ansible.builtin.file: path: /tmp state: directory mode: "u=rwx,g=rwx,o=rwxt" when: evolinux_system_chmod_tmp | bool - name: Setting default locales - lineinfile: + ansible.builtin.lineinfile: dest: /etc/locale.gen line: "{{ item }}" create: yes @@ -21,11 +21,12 @@ when: evolinux_system_locales | bool - name: Reconfigure locales - command: /usr/sbin/locale-gen + ansible.builtin.command: + cmd: /usr/sbin/locale-gen when: evolinux_system_locales and default_locales is changed - name: Setting default timezone - timezone: + community.general.timezone: name: "{{ evolinux_system_timezone | mandatory }}" notify: restart cron when: evolinux_system_set_timezone | bool @@ -37,20 +38,20 @@ name: evolix/remount-usr - name: Ensure automagic vim conf is disabled - lineinfile: + ansible.builtin.lineinfile: dest: /etc/vim/vimrc regexp: 'let g:skip_defaults_vim =' line: 'let g:skip_defaults_vim = 1' when: evolinux_system_vim_skip_defaults | bool - name: Setting vim as default editor - alternatives: + community.general.alternatives: name: editor path: /usr/bin/vim.basic when: evolinux_system_vim_default_editor | bool - name: Add "umask 027" to /etc/profile.d/evolinux.sh - lineinfile: + ansible.builtin.lineinfile: dest: /etc/profile.d/evolinux.sh line: "umask 027" create: yes @@ -58,7 +59,7 @@ when: evolinux_system_profile | bool - name: Set /etc/adduser.conf DIR_MODE to 0700 - replace: + ansible.builtin.replace: dest: /etc/adduser.conf regexp: "^DIR_MODE=0755$" replace: "DIR_MODE=0700" @@ -67,7 +68,7 @@ # TODO: trouver comment ne pas faire ça sur Xen Dom-U - name: Deactivating login on all tty except tty2 - lineinfile: + ansible.builtin.lineinfile: dest: /etc/securetty line: "tty2" create: yes @@ -75,7 +76,7 @@ when: evolinux_system_restrict_securetty | bool - name: Setting TMOUT to disconnect inactive users - lineinfile: + ansible.builtin.lineinfile: dest: /etc/profile.d/evolinux.sh line: "export TMOUT={{ evolinux_system_timeout }}" regexp: "^export TMOUT=" @@ -86,8 +87,8 @@ #- name: Customizing /etc/fstab - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -95,7 +96,7 @@ register: is_cron_installed - name: Set verbose logging for cron deamon - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/cron line: "EXTRA_OPTS='-L 15'" create: yes @@ -105,7 +106,7 @@ - evolinux_system_cron_verboselog | bool - name: Modify default umask for cron deamon - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/cron line: "umask 022" create: yes @@ -115,7 +116,7 @@ - evolinux_system_cron_umask | bool - name: Randomize periodic crontabs - replace: + ansible.builtin.replace: dest: /etc/crontab regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" @@ -134,7 +135,7 @@ ## alert5 - name: Install alert5 init script (jessie/stretch) - template: + ansible.builtin.template: src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 force: no @@ -144,7 +145,7 @@ - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" - name: Enable alert5 init script (jessie/stretch) - service: + ansible.builtin.service: name: alert5 enabled: yes when: @@ -155,7 +156,7 @@ - name: Install alert5 init script (buster and later) - template: + ansible.builtin.template: src: system/alert5.sh.j2 dest: /usr/share/scripts/alert5.sh force: no @@ -165,7 +166,7 @@ - ansible_distribution_major_version is version('10', '>=') - name: Install alert5 service (buster and later) - copy: + ansible.builtin.copy: src: alert5.service dest: /etc/systemd/system/alert5.service force: yes @@ -175,7 +176,7 @@ - ansible_distribution_major_version is version('10', '>=') - name: Enable alert5 init script (buster and later) - systemd: + ansible.builtin.systemd: name: alert5 daemon_reload: yes enabled: yes @@ -188,14 +189,15 @@ ## network interfaces - name: "Is there an \"allow-hotplug\" interface ?" - command: grep allow-hotplug /etc/network/interfaces + ansible.builtin.command: + cmd: grep allow-hotplug /etc/network/interfaces failed_when: False changed_when: False check_mode: no register: grep_hotplug_eni - name: "Network interfaces must be \"auto\" and not \"allow-hotplug\"" - replace: + ansible.builtin.replace: dest: /etc/network/interfaces regexp: "allow-hotplug" replace: "auto" @@ -203,6 +205,4 @@ - evolinux_system_eni_auto | bool - grep_hotplug_eni.rc == 0 -## /sbin/deny - -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index c8aa58e8..76fbac82 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -7,7 +7,7 @@ file: dump-server-state.yml - name: "/sbin/deny script is present" - copy: + ansible.builtin.copy: src: deny.sh dest: /sbin/deny mode: "0700" @@ -16,7 +16,7 @@ force: no - name: update-evobackup-canary script is present - copy: + ansible.builtin.copy: src: update-evobackup-canary dest: /usr/local/bin/update-evobackup-canary force: True @@ -26,26 +26,17 @@ # TODO: delete when this has been run once on all our servers - name: update-evobackup-canary is removed from sbin - file: + ansible.builtin.file: path: /usr/local/sbin/update-evobackup-canary state: absent -# - name: dir-check script is present -# copy: -# src: "dir-check.sh" -# dest: /usr/local/bin/dir-check -# force: True -# owner: root -# group: root -# mode: "0755" - - name: Deploy htop configuration - copy: + ansible.builtin.copy: src: htoprc dest: /etc/htoprc mode: "0644" - name: Deploy top configuration file - file: + ansible.builtin.file: path: /etc/topdefaultrc state: absent From 38b106a8f214dde5172d27a06af5569d51ac3da8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 18:36:50 +0100 Subject: [PATCH 07/45] evolinux-base: reorganize hardware section --- evolinux-base/tasks/hardware.dell.yml | 99 +++++++ evolinux-base/tasks/hardware.hp.yml | 87 +++++++ evolinux-base/tasks/hardware.yml | 245 ++---------------- .../templates/hardware/hp.sources.j2 | 8 + .../hardware/hwraid.le-vert.net.sources.j2 | 8 + 5 files changed, 230 insertions(+), 217 deletions(-) create mode 100644 evolinux-base/tasks/hardware.dell.yml create mode 100644 evolinux-base/tasks/hardware.hp.yml create mode 100644 evolinux-base/templates/hardware/hp.sources.j2 create mode 100644 evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml new file mode 100644 index 00000000..409d1e07 --- /dev/null +++ b/evolinux-base/tasks/hardware.dell.yml @@ -0,0 +1,99 @@ +--- + +## LSI MegaRAID 12GSAS/PCIe Secure SAS39xx +# This is still incompatible with Debian + +- name: Check if PERC HBA11 device is present + ansible.builtin.shell: "lspci | grep -qE 'MegaRAID.*SAS39xx'" + check_mode: no + register: perc_hba11_search + failed_when: False + changed_when: False + tags: + - packages + +- name: MegaCLI SAS package must not be installed if PERC HBA11 is present + block: + - name: Disable harware RAID tasks + ansible.builtin.set_fact: + evolinux_packages_hardware_raid: False + + - name: blacklist mageclisas-status package + ansible.builtin.blockinfile: + dest: /etc/apt/preferences.d/0-blacklist + create: yes + marker: "## {mark} MEGACLISAS-STATUS BLACKLIST" + block: | + # DO NOT INSTALL THESE PACKAGES ON THIS SERVER + Package: megacli megaclisas-status + Pin: version * + Pin-Priority: -100 + + - name: Remove MegaCLI packages + ansible.builtin.apt: + name: + - megacli + - megaclisas-status + state: absent + when: perc_hba11_search.rc == 0 + +- name: MegaCLI SAS package is present + block: + - name: HWRaid GPG key is installed + ansible.builtin.copy: + src: hwraid.le-vert.net.asc + dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" + force: yes + mode: "0644" + owner: root + group: root + tags: + - packages + when: ansible_distribution_major_version is version('9', '>=') + + - name: Add HW tool repository (Debian <12) + ansible.builtin.apt_repository: + repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' + state: present + tags: + - packages + when: + - ansible_distribution_major_version is version('12', '<') + + - name: Add HW tool repository (Debian >=12) + ansible.builtin.template: + src: hardware/hwraid.le-vert.net.sources.j2 + dest: /etc/apt/sources.list.d/hwraid.le-vert.net.sources + tags: + - packages + when: + - ansible_distribution_major_version is version('12', '>=') + + - name: Install packages for DELL/LSI hardware + ansible.builtin.apt: + name: + - megacli + - megaclisas-status + allow_unauthenticated: yes + tags: + - packages + + - name: Configure packages for DELL/LSI hardware + ansible.builtin.template: + src: hardware/megaclisas-statusd.j2 + dest: /etc/default/megaclisas-statusd + mode: "0755" + tags: + - config + + - name: megaclisas-statusd is enabled and started + ansible.builtin.systemd: + name: megaclisas-statusd + enabled: true + state: restarted + tags: + - packages + - config + when: + - "'MegaRAID' in raidmodel.stdout" + diff --git a/evolinux-base/tasks/hardware.hp.yml b/evolinux-base/tasks/hardware.hp.yml new file mode 100644 index 00000000..ea17cae5 --- /dev/null +++ b/evolinux-base/tasks/hardware.hp.yml @@ -0,0 +1,87 @@ +--- + +- name: HPE GPG key is installed + ansible.builtin.copy: + src: hpePublicKey2048_key1.asc + dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" + force: yes + mode: "0644" + owner: root + group: root + tags: + - packages + +- name: Add HPE repository (Debian <12) + ansible.builtin.apt_repository: + repo: 'deb [signed-by={{ apt_keyring_dir }}/hpePublicKey2048_key1.asc] https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' + state: present + tags: + - packages + when: + - ansible_distribution_major_version is version('12', '<') + +- name: Add HPE repository (Debian >=12) + ansible.builtin.template: + src: hardware/hp.sources.j2 + dest: /etc/apt/sources.list.d/hp.sources + tags: + - packages + when: + - ansible_distribution_major_version is version('12', '>=') + +- name: Install HPE Smart Storage Administrator (ssacli) + ansible.builtin.apt: + name: ssacli + tags: + - packages + +# NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role +# So, if nagios-nrpe role is not installed it will not work +- name: Install and configure check_hpraid cron (HP gen >=10) + block: + - name: check_hpraid cron is present (HP gen >=10) + ansible.builtin.copy: + src: check_hpraid.cron.sh + dest: /etc/cron.{{ evolinux_cron_checkhpraid_frequency | mandatory }}/check_hpraid + mode: "0755" + tags: + - config + when: + - "'Adaptec Smart Storage PQI' in raidmodel.stdout" + +- name: Install and configure cciss-vol-status (HP gen <10) + block: + - name: Install cciss-vol-status (HP gen <10) + ansible.builtin.apt: + name: cciss-vol-status + state: present + tags: + - packages + + - name: cciss-vol-statusd init script is present (HP gen <10) + ansible.builtin.template: + src: hardware/cciss-vol-statusd.j2 + dest: /etc/init.d/cciss-vol-statusd + mode: "0755" + tags: + - packages + + - name: Configure cciss-vol-statusd (HP gen <10) + ansible.builtin.lineinfile: + dest: /etc/default/cciss-vol-statusd + line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"' + regexp: 'MAILTO=' + create: yes + tags: + - config + + - name: Enable cciss-vol-status in systemd (HP gen <10) + ansible.builtin.systemd: + name: cciss-vol-statusd + enabled: true + state: restarted + tags: + - packages + - config + when: + - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 7ebecc82..d9b0cdcd 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -1,15 +1,24 @@ --- - name: Install pciutils - apt: + ansible.builtin.apt: name: pciutils state: present tags: - packages +- name: firmware-non-free components are installed (Debian 12+) + ansible.builtin.replace: + dest: /etc/apt/sources.list.d/system.sources + regexp: '^(Components: ((?!\bfirmware-non-free\b).)*)$' + replace: '\1 firmware-non-free' + when: + - ansible_distribution_major_version is version('12', '>=') + ## Broadcom NetXtreme II - name: Check if Broadcom NetXtreme II device is present - shell: "lspci | grep -q 'NetXtreme II'" + ansible.builtin.shell: + cmd: "lspci | grep -q 'NetXtreme II'" check_mode: no register: broadcom_netextreme_search failed_when: False @@ -17,23 +26,21 @@ tags: - packages -# TODO: add the "non-free" part to the existing sources -# instead of adding a new source - -- name: Add non-free repo for Broadcom NetXtreme II - include_role: - name: evolix/apt - tasks_from: basics.yml - vars: - apt_basics_components: "main contrib non-free" +- name: Add non-free repo for Broadcom NetXtreme II (Debian <12) + ansible.builtin.replace: + dest: /etc/apt/sources.list + regexp: '^(main ((?!\bnon-free\b).)*)$' + replace: '\1 non-free' tags: - packages - when: broadcom_netextreme_search.rc == 0 + when: + - broadcom_netextreme_search.rc == 0 + - ansible_distribution_major_version is version('12', '<') +## Baremetal servers -## Dedicated hardware - name: Install some additionnals tools when it dedicated hardware - apt: + ansible.builtin.apt: name: - libipc-run-perl - freeipmi @@ -43,14 +50,13 @@ state: present tags: - packages - when: ansible_virtualization_role == "host" ## RAID # Dell and others: MegaRAID SAS # HP gen <10: Hewlett-Packard Company Smart Array # HP gen >=10: Adaptec Smart Storage PQI - name: Detect if RAID is installed - shell: + ansible.builtin.shell: cmd: "lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'" executable: /bin/bash check_mode: no @@ -60,211 +66,16 @@ tags: - packages -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - packages - -- name: HPE Smart Storage Administrator (ssacli) is present - block: - - name: HPE GPG embedded key is absent - apt_key: - id: "26C2B797" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - packages - - - name: HPE GPG key is installed - copy: - src: hpePublicKey2048_key1.asc - dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - packages - - - name: Add HPE repository - apt_repository: - repo: 'deb [signed-by={{ apt_keyring_dir }}/hpePublicKey2048_key1.asc] https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' - state: present - tags: - - packages - - - name: Remove unsigned HPE repository - apt_repository: - repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' - state: absent - tags: - - packages - - - name: Install HPE Smart Storage Administrator (ssacli) - apt: - name: ssacli - tags: - - packages +- name: "HP" + import_tasks: hardware.hp.yml when: - - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - - "'Adaptec Smart Storage PQI' in raidmodel.stdout" + - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout or 'Adaptec Smart Storage PQI' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool -# NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role -# So, if nagios-nrpe role is not installed it will not work -- name: Install and configure check_hpraid cron (HP gen >=10) - block: - - name: check_hpraid cron is present (HP gen >=10) - copy: - src: check_hpraid.cron.sh - dest: /etc/cron.{{ evolinux_cron_checkhpraid_frequency | mandatory }}/check_hpraid - mode: "0755" - tags: - - config - when: "'Adaptec Smart Storage PQI' in raidmodel.stdout" - -- name: Install and configure cciss-vol-status (HP gen <10) - block: - - name: Install cciss-vol-status (HP gen <10) - apt: - name: cciss-vol-status - state: present - tags: - - packages - - - name: cciss-vol-statusd init script is present (HP gen <10) - template: - src: hardware/cciss-vol-statusd.j2 - dest: /etc/init.d/cciss-vol-statusd - mode: "0755" - tags: - - packages - - - name: Configure cciss-vol-statusd (HP gen <10) - lineinfile: - dest: /etc/default/cciss-vol-statusd - line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"' - regexp: 'MAILTO=' - create: yes - tags: - - config - - - name: Enable cciss-vol-status in systemd (HP gen <10) - service: - name: cciss-vol-statusd - enabled: true - state: restarted - tags: - - packages - - config - when: - - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - - evolinux_packages_hardware_raid | bool - -## LSI MegaRAID 12GSAS/PCIe Secure SAS39xx -# This is still incompatible with Debian - -- name: Check if PERC HBA11 device is present - shell: "lspci | grep -qE 'MegaRAID.*SAS39xx'" - check_mode: no - register: perc_hba11_search - failed_when: False - changed_when: False - tags: - - packages - -- name: MegaCLI SAS package must not be installed if PERC HBA11 is present - block: - - name: Disable harware RAID tasks - set_fact: - evolinux_packages_hardware_raid: False - - - name: blacklist mageclisas-status package - blockinfile: - dest: /etc/apt/preferences.d/0-blacklist - create: yes - marker: "## {mark} MEGACLISAS-STATUS BLACKLIST" - block: | - # DO NOT INSTALL THESE PACKAGES ON THIS SERVER - Package: megacli megaclisas-status - Pin: version * - Pin-Priority: -100 - - - name: Remove MegaCLI packages - apt: - name: - - megacli - - megaclisas-status - state: absent - when: perc_hba11_search.rc == 0 - -- name: MegaCLI SAS package is present - block: - - name: HWRaid embedded GPG key is absent - apt_key: - id: "23B3D3B4" - keyring: /etc/apt/trusted.gpg - state: absent - tags: - - packages - when: _trusted_gpg_keyring.stat.exists - - - name: HWRaid GPG key is installed - copy: - src: hwraid.le-vert.net.asc - dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - packages - when: ansible_distribution_major_version is version('9', '>=') - - - name: Add HW tool repository - apt_repository: - repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' - state: present - tags: - - packages - - - name: Remove unsigned HW tool repository - apt_repository: - repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' - state: absent - tags: - - packages - - - name: Install packages for DELL/LSI hardware - apt: - name: - - megacli - - megaclisas-status - allow_unauthenticated: yes - tags: - - packages - - - name: Configure packages for DELL/LSI hardware - template: - src: hardware/megaclisas-statusd.j2 - dest: /etc/default/megaclisas-statusd - mode: "0755" - tags: - - config - - - name: Enable DELL/LSI hardware in systemd - service: - name: megaclisas-statusd - enabled: true - state: restarted - tags: - - packages - - config +- name: "Dell" + import_tasks: hardware.dell.yml when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/templates/hardware/hp.sources.j2 b/evolinux-base/templates/hardware/hp.sources.j2 new file mode 100644 index 00000000..04ccbc9d --- /dev/null +++ b/evolinux-base/templates/hardware/hp.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://downloads.linux.hpe.com/SDR/repo/mcp +Suites: {{ ansible_distribution_release }}/current +Components: non-free +Signed-by: {{ apt_keyring_dir }}/hpePublicKey2048_key1.asc +Enabled: yes \ No newline at end of file diff --git a/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 b/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 new file mode 100644 index 00000000..9d424a5b --- /dev/null +++ b/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://hwraid.le-vert.net/debian +Suites: {{ ansible_distribution_release }} +Components: main +Signed-by: {{ apt_keyring_dir }}/hwraid.le-vert.net.asc] +Enabled: yes From 958109c3b3d85573bdedf5cef3ebf97a5857cb75 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 18:37:58 +0100 Subject: [PATCH 08/45] evolinux-base: reorganize ssh section --- evolinux-base/tasks/main.yml | 14 ++- evolinux-base/tasks/ssh.included-files.yml | 104 ++++++++++++++++++ .../tasks/{ssh.yml => ssh.single-file.yml} | 22 ++-- 3 files changed, 127 insertions(+), 13 deletions(-) create mode 100644 evolinux-base/tasks/ssh.included-files.yml rename evolinux-base/tasks/{ssh.yml => ssh.single-file.yml} (90%) diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 29a77524..b9afc630 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -56,9 +56,17 @@ name: evolix/evomaintenance when: evolinux_evomaintenance_include | bool -- name: SSH configuration - include: ssh.yml - when: evolinux_ssh_include | bool +- name: SSH configuration (single file) + import_tasks: ssh.single-file.yml + when: + - ansible_distribution_major_version is version('12', '<') + - evolinux_ssh_include | bool + +- name: SSH configuration (included-files) + import_tasks: ssh.included-files.yml + when: + - ansible_distribution_major_version is version('12', '>=') + - evolinux_ssh_include | bool ### disabled because of a memory leak # - name: Create evolinux users diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml new file mode 100644 index 00000000..952b661f --- /dev/null +++ b/evolinux-base/tasks/ssh.included-files.yml @@ -0,0 +1,104 @@ +--- +# This is a copy of ssh.single-file.yml +# It needs to be changed when we move to a included-files configuration + + +- ansible.builtin.debug: + msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" + when: evolinux_ssh_password_auth_addresses == [] + +# From 'man sshd_config' : +# « If all of the criteria on the Match line are satisfied, the keywords +# on the following lines override those set in the global section of the config +# file, until either another Match line or the end of the file. +# If a keyword appears in multiple Match blocks that are satisfied, +# only the first instance of the keyword is applied. » +# +# We want to allow any user from a list of IP addresses to login with password, +# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses + +- name: "Security directives for Evolinux (Debian 10 or later)" + ansible.builtin.blockinfile: + dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" + block: | + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + Match Group {{ evolinux_internal_group }} + PasswordAuthentication no + insertafter: EOF + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - evolinux_ssh_password_auth_addresses != [] + - ansible_distribution_major_version is version('10', '>=') + +- name: Security directives for Evolinux (Jessie/Stretch) + ansible.builtin.blockinfile: + dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + block: | + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + insertafter: EOF + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - evolinux_ssh_password_auth_addresses != [] + - ansible_distribution_major_version is version('10', '<') + +# We disable AcceptEnv because it can be a security issue, but also because we +# do not want clients to push their environment variables like LANG. +- name: disable AcceptEnv in ssh config + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^AcceptEnv' + replace: "#AcceptEnv" + notify: reload sshd + when: evolinux_ssh_disable_acceptenv | bool + +- name: Set log level to verbose (for Debian >= 9) + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^#?LogLevel [A-Z]+' + replace: "LogLevel VERBOSE" + notify: reload sshd + when: ansible_distribution_major_version is version('9', '>=') + +- name: "Get current user" + ansible.builtin.command: + cmd: logname + changed_when: False + register: logname + check_mode: no + when: evolinux_ssh_allow_current_user | bool + +# we must double-escape caracters, because python +- name: verify AllowUsers directive + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + failed_when: False + changed_when: False + register: grep_allowusers_ssh + check_mode: no + when: evolinux_ssh_allow_current_user | bool + +- name: "Add AllowUsers sshd directive for current user" + ansible.builtin.lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowUsers {{ logname.stdout }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 + +- name: "Modify AllowUsers sshd directive for current user" + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' + replace: '\1 {{ logname.stdout }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 + +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.single-file.yml similarity index 90% rename from evolinux-base/tasks/ssh.yml rename to evolinux-base/tasks/ssh.single-file.yml index e063d164..e76d792f 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.single-file.yml @@ -1,5 +1,5 @@ --- -- debug: +- ansible.builtin.debug: msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" when: evolinux_ssh_password_auth_addresses == [] @@ -14,7 +14,7 @@ # but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses - name: "Security directives for Evolinux (Debian 10 or later)" - blockinfile: + ansible.builtin.blockinfile: dest: /etc/ssh/sshd_config marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" block: | @@ -30,7 +30,7 @@ - ansible_distribution_major_version is version('10', '>=') - name: Security directives for Evolinux (Jessie/Stretch) - blockinfile: + ansible.builtin.blockinfile: dest: /etc/ssh/sshd_config marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" block: | @@ -46,7 +46,7 @@ # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. - name: disable AcceptEnv in ssh config - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^AcceptEnv' replace: "#AcceptEnv" @@ -54,7 +54,7 @@ when: evolinux_ssh_disable_acceptenv | bool - name: Set log level to verbose (for Debian >= 9) - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#?LogLevel [A-Z]+' replace: "LogLevel VERBOSE" @@ -62,7 +62,8 @@ when: ansible_distribution_major_version is version('9', '>=') - name: "Get current user" - command: logname + ansible.builtin.command: + cmd: logname changed_when: False register: logname check_mode: no @@ -70,7 +71,8 @@ # we must double-escape caracters, because python - name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" failed_when: False changed_when: False register: grep_allowusers_ssh @@ -78,7 +80,7 @@ when: evolinux_ssh_allow_current_user | bool - name: "Add AllowUsers sshd directive for current user" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ logname.stdout }}" insertafter: 'Subsystem' @@ -87,7 +89,7 @@ when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 - name: "Modify AllowUsers sshd directive for current user" - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' replace: '\1 {{ logname.stdout }}' @@ -95,4 +97,4 @@ notify: reload sshd when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers From 5974f12b828197ec1105962c6265103b41c60787 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 18:50:06 +0100 Subject: [PATCH 09/45] evolinux-base: fix conditional precedence --- apt/templates/bookworm_basics.sources.j2 | 2 +- apt/templates/bookworm_security.sources.j2 | 2 +- evolinux-base/tasks/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apt/templates/bookworm_basics.sources.j2 b/apt/templates/bookworm_basics.sources.j2 index 247d7ec3..5a0cd3aa 100644 --- a/apt/templates/bookworm_basics.sources.j2 +++ b/apt/templates/bookworm_basics.sources.j2 @@ -4,4 +4,4 @@ Types: deb URIs: http://mirror.evolix.org/debian Suites: bookworm bookworm-updates Components: {{ apt_basics_components | mandatory }} -Enabled: yes \ No newline at end of file +Enabled: yes diff --git a/apt/templates/bookworm_security.sources.j2 b/apt/templates/bookworm_security.sources.j2 index 0b0e4190..56180957 100644 --- a/apt/templates/bookworm_security.sources.j2 +++ b/apt/templates/bookworm_security.sources.j2 @@ -4,4 +4,4 @@ Types: deb URIs: https://security.debian.org/debian-security Suites: bookworm-security Components: {{ apt_basics_components | mandatory }} -Enabled: yes \ No newline at end of file +Enabled: yes diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index b9afc630..35b48830 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -14,7 +14,7 @@ apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" apt_install_evolix_public: "{{ evolinux_apt_public_sources }}" apt_upgrade: "{{ evolinux_apt_upgrade }}" - apt_basics_components: "{{ ansible_virtualization_role == 'host' | ternary('main contrib non-free', 'main') }}" + apt_basics_components: "{{ (ansible_virtualization_role == 'host') | ternary('main contrib non-free', 'main') }}" when: evolinux_apt_include | bool - name: /etc versioning with Git From 49d8c99328bab62d87e148b5028391db3288b44e Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 20 Mar 2023 14:56:11 +0100 Subject: [PATCH 10/45] pub_evolix.asc is also needed in lxc-php --- lxc-php/files/pub_evolix.asc | 87 ++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 lxc-php/files/pub_evolix.asc diff --git a/lxc-php/files/pub_evolix.asc b/lxc-php/files/pub_evolix.asc new file mode 100644 index 00000000..4a21bdfe --- /dev/null +++ b/lxc-php/files/pub_evolix.asc @@ -0,0 +1,87 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N +YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN +OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV +Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw +ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7 +7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11 +mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma +dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3 +huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm +vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk ++XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB +tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy +PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A +BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy +x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq +yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7 +D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt +c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N +q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F +btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ +ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa +C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D +jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp +5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo +JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3 +Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F +5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o +aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba +mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp +g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs +h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M +Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb +sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A +5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A +etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8 +smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ +Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX +mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F +V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT +foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7 +b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5 +FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI +7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb ++dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc +fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF +bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR +Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+ +7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/ +RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc +8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX +fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd +gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/ +YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1 +4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL +1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK +3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj +9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB +jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC +LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG +j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H +BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M +jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q +BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym +Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6 +lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH +El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV +sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp +IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz +DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM +G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0 +IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs +UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac +lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm +AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r +adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf +SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v +2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz +kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg +2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad +OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf +nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk +jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH +oA9QflpnDubMnCve +=ZCml +-----END PGP PUBLIC KEY BLOCK----- From f1644ed138cb7a98193e4813aca5ff1a90a7c7cd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 19:52:55 +0100 Subject: [PATCH 11/45] docker: source list for Debian 12 --- docker-host/tasks/main.yml | 24 ++++++++++++++++-------- docker-host/templates/docker.sources.j2 | 8 ++++++++ 2 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 docker-host/templates/docker.sources.j2 diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index b73fde0b..163ec76c 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -11,11 +11,17 @@ - name: Install source requirements apt: name: - - apt-transport-https - ca-certificates - gnupg2 state: present +- name: Install apt-transport-https (Debian <10) + apt: + name: + - apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + - name: Add Docker's official GPG key copy: src: docker-debian.asc @@ -25,17 +31,19 @@ owner: root group: root -- name: Add Docker repository +- name: Add Docker repository (Debian <12) apt_repository: repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + filename: docker.list state: present - filename: docker.list + when: ansible_distribution_major_version is version('12', '<') -- name: Drop unsigned Docker repository - apt_repository: - repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' - state: absent - filename: docker.list +- name: Add Docker repository (Debian >=12) + ansible.builtin.template: + src: docker.sources.j2 + dest: /etc/apt/sources.list.d/docker.sources + state: present + when: ansible_distribution_major_version is version('12', '>=') - name: Install Docker apt: diff --git a/docker-host/templates/docker.sources.j2 b/docker-host/templates/docker.sources.j2 new file mode 100644 index 00000000..5e349774 --- /dev/null +++ b/docker-host/templates/docker.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://download.docker.com/linux/debian +Suites: {{ ansible_distribution_release }} +Components: stable +Signed-by: {{ apt_keyring_dir }}/docker-debian.asc +Enabled: yes \ No newline at end of file From 45e8132d0765096e0f97799e2a7bf0f4d06d3cb2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:44:53 +0100 Subject: [PATCH 12/45] Install deb822 sources on Debian >=12 --- docker-host/tasks/main.yml | 39 ++++++----- elasticsearch/tasks/apt_sources.yml | 36 ++++++++++ elasticsearch/tasks/packages.yml | 70 +++---------------- elasticsearch/templates/elastic.sources.j2 | 8 +++ evolinux-base/tasks/hardware.dell.yml | 10 ++- filebeat/tasks/apt_sources.yml | 36 ++++++++++ filebeat/tasks/main.yml | 65 ++--------------- filebeat/templates/elastic.sources.j2 | 8 +++ .../files/{fluentd.asc => treasuredata.asc} | 0 fluentd/tasks/main.yml | 43 ++++-------- fluentd/templates/treasuredata.sources.j2 | 8 +++ jenkins/tasks/main.yml | 32 ++++----- jenkins/templates/jenkins.sources.j2 | 7 ++ kibana/tasks/apt_sources.yml | 36 ++++++++++ kibana/tasks/main.yml | 66 +++-------------- kibana/templates/elastic.sources.j2 | 8 +++ logstash/tasks/apt_sources.yml | 36 ++++++++++ logstash/tasks/main.yml | 65 ++--------------- logstash/templates/elastic.sources.j2 | 8 +++ metricbeat/tasks/apt_sources.yml | 36 ++++++++++ metricbeat/tasks/main.yml | 65 ++--------------- metricbeat/templates/elastic.sources.j2 | 8 +++ mongodb/tasks/main.yml | 11 +-- mongodb/tasks/main_bullseye.yml | 26 +------ newrelic/tasks/php.yml | 13 ++-- newrelic/tasks/sources.yml | 35 ++++------ newrelic/tasks/sysmond.yml | 4 +- newrelic/templates/newrelic.sources.j2 | 8 +++ nodejs/tasks/main.yml | 55 ++++++--------- nodejs/tasks/yarn.yml | 49 +++++-------- nodejs/templates/nodesource.sources.j2 | 8 +++ nodejs/templates/yarn.sources.j2 | 8 +++ php/tasks/sury_pre.yml | 60 +++++++++------- php/templates/sury.sources.j2 | 8 +++ postgresql/tasks/main.yml | 25 ++++--- postgresql/tasks/packages_bookworm.yml | 6 +- postgresql/tasks/packages_bullseye.yml | 1 + postgresql/tasks/packages_buster.yml | 1 + postgresql/tasks/packages_jessie.yml | 10 +-- postgresql/tasks/packages_stretch.yml | 1 + postgresql/tasks/pgdg-repo.yml | 31 ++++---- postgresql/tasks/postgis.yml | 1 + postgresql/templates/postgresql.sources.j2 | 8 +++ 43 files changed, 518 insertions(+), 541 deletions(-) create mode 100644 elasticsearch/tasks/apt_sources.yml create mode 100644 elasticsearch/templates/elastic.sources.j2 create mode 100644 filebeat/tasks/apt_sources.yml create mode 100644 filebeat/templates/elastic.sources.j2 rename fluentd/files/{fluentd.asc => treasuredata.asc} (100%) create mode 100644 fluentd/templates/treasuredata.sources.j2 create mode 100644 jenkins/templates/jenkins.sources.j2 create mode 100644 kibana/tasks/apt_sources.yml create mode 100644 kibana/templates/elastic.sources.j2 create mode 100644 logstash/tasks/apt_sources.yml create mode 100644 logstash/templates/elastic.sources.j2 create mode 100644 metricbeat/tasks/apt_sources.yml create mode 100644 metricbeat/templates/elastic.sources.j2 create mode 100644 newrelic/templates/newrelic.sources.j2 create mode 100644 nodejs/templates/nodesource.sources.j2 create mode 100644 nodejs/templates/yarn.sources.j2 create mode 100644 php/templates/sury.sources.j2 create mode 100644 postgresql/templates/postgresql.sources.j2 diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 163ec76c..db57a6b6 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -1,7 +1,7 @@ # This role installs the docker daemon --- - name: Remove older docker packages - apt: + ansible.builtin.apt: name: - docker - docker-engine @@ -9,21 +9,21 @@ state: absent - name: Install source requirements - apt: + ansible.builtin.apt: name: - ca-certificates - gnupg2 state: present - name: Install apt-transport-https (Debian <10) - apt: + ansible.builtin.apt: name: - apt-transport-https state: present when: ansible_distribution_major_version is version('10', '<') - name: Add Docker's official GPG key - copy: + ansible.builtin.copy: src: docker-debian.asc dest: "{{ apt_keyring_dir }}/docker-debian.asc" force: yes @@ -32,10 +32,11 @@ group: root - name: Add Docker repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' - filename: docker.list + filename: docker state: present + update_cache: yes when: ansible_distribution_major_version is version('12', '<') - name: Add Docker repository (Debian >=12) @@ -43,43 +44,48 @@ src: docker.sources.j2 dest: /etc/apt/sources.list.d/docker.sources state: present + register: docker_sources when: ansible_distribution_major_version is version('12', '>=') +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: docker_sources is changed + - name: Install Docker - apt: + ansible.builtin.apt: name: - docker-ce - docker-ce-cli - containerd.io - update_cache: yes - name: python-docker is installed - apt: + ansible.builtin.apt: name: python-docker state: present when: ansible_python_version is version('3', '<') - name: python3-docker is installed - apt: + ansible.builtin.apt: name: python3-docker state: present when: ansible_python_version is version('3', '>=') - name: Copy Docker daemon configuration file - template: + ansible.builtin.template: src: daemon.json.j2 dest: /etc/docker/daemon.json notify: restart docker - name: Creating Docker tmp directory - file: + ansible.builtin.file: path: "{{ docker_tmpdir }}" state: directory mode: "0644" owner: root - name: Creating Docker TLS directory - file: + ansible.builtin.file: path: "{{ docker_tls_path }}" state: directory mode: "0644" @@ -87,7 +93,7 @@ when: docker_tls_enabled | bool - name: Copy shellpki utility to Docker TLS directory - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "{{ docker_tls_path }}/{{ item }}" mode: "0744" @@ -97,12 +103,13 @@ when: docker_tls_enabled | bool - name: Check if certs are already created - stat: + ansible.builtin.stat: path: "{{ docker_tls_path }}/certs" register: tls_certs_stat - name: Creating a CA, server key - command: "{{ docker_tls_path }}/shellpki.sh init" + ansible.builtin.command: + cmd: "{{ docker_tls_path }}/shellpki.sh init" when: - docker_tls_enabled | bool - not tls_certs_stat.stat.isdir diff --git a/elasticsearch/tasks/apt_sources.yml b/elasticsearch/tasks/apt_sources.yml new file mode 100644 index 00000000..a0395ffe --- /dev/null +++ b/elasticsearch/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 097d85e5..5188e3cc 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -1,73 +1,23 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - elasticsearch - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - elasticsearch - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - elasticsearch - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - elasticsearch - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - elasticsearch - - packages - -- name: Unsigned Elastic sources list is not available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - elasticsearch - - packages +- name: APT sources + ansible.builtin.import_tasks: apt_sources.yml + args: + apply: + tags: + - elasticsearch + - packages - name: Elasticsearch is installed - apt: + ansible.builtin.apt: name: elasticsearch state: present + update_cache: yes tags: - elasticsearch - packages - name: Elasticsearch service is enabled - service: + ansible.builtin.systemd: name: elasticsearch enabled: yes tags: diff --git a/elasticsearch/templates/elastic.sources.j2 b/elasticsearch/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/elasticsearch/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml index 409d1e07..aa448147 100644 --- a/evolinux-base/tasks/hardware.dell.yml +++ b/evolinux-base/tasks/hardware.dell.yml @@ -55,6 +55,7 @@ ansible.builtin.apt_repository: repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' state: present + update_cache: yes tags: - packages when: @@ -66,8 +67,13 @@ dest: /etc/apt/sources.list.d/hwraid.le-vert.net.sources tags: - packages - when: - - ansible_distribution_major_version is version('12', '>=') + register: hwraid_sources + when: ansible_distribution_major_version is version('12', '>=') + + - name: Update APT cache + apt: + update_cache: yes + when: hwraid_sources is changed - name: Install packages for DELL/LSI hardware ansible.builtin.apt: diff --git a/filebeat/tasks/apt_sources.yml b/filebeat/tasks/apt_sources.yml new file mode 100644 index 00000000..d6597c74 --- /dev/null +++ b/filebeat/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 20858669..0c20cc6c 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -1,62 +1,11 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - filebeat - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - filebeat - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - filebeat - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - filebeat - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - filebeat - - packages - -- name: Unsigned Elastic sources list is not available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - filebeat - - packages +- name: APT sources + import_tasks: apt_sources.yml + args: + apply: + tags: + - filebeat + - packages - name: Filebeat is installed apt: diff --git a/filebeat/templates/elastic.sources.j2 b/filebeat/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/filebeat/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/fluentd/files/fluentd.asc b/fluentd/files/treasuredata.asc similarity index 100% rename from fluentd/files/fluentd.asc rename to fluentd/files/treasuredata.asc diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 09f93082..21b432f3 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -1,27 +1,9 @@ --- -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - packages - - fluentd - -- name: Fluentd embedded GPG key is absent - apt_key: - id: "AB97ACBE" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - packages - - fluentd - - name: Add Fluentd GPG key copy: - src: fluentd.asc - dest: "{{ apt_keyring_dir }}/fluentd.asc" + src: treasuredata.asc + dest: "{{ apt_keyring_dir }}/treasuredata.asc" force: yes mode: "0644" owner: root @@ -30,30 +12,31 @@ - packages - fluentd -- name: Fluentd sources list is available +- name: Add Treasuredata repository (Debian <12) apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" - filename: treasuredata - update_cache: yes + repo: "deb [signed-by={{ apt_keyring_dir }}/treasuredata.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" + filename: treasuredata.list state: present tags: - packages - fluentd + when: ansible_distribution_major_version is version('12', '<') -- name: Unsigned Fluentd sources list is not available - apt_repository: - repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" - filename: treasuredata - update_cache: yes - state: absent +- name: Add Treasuredata repository (Debian >=12) + ansible.builtin.template: + src: treasuredata.sources.j2 + dest: /etc/apt/sources.list.d/treasuredata.sources + state: present tags: - packages - fluentd + when: ansible_distribution_major_version is version('12', '>=') - name: Fluentd is installed. apt: name: td-agent state: present + update_cache: yes tags: - fluentd - packages diff --git a/fluentd/templates/treasuredata.sources.j2 b/fluentd/templates/treasuredata.sources.j2 new file mode 100644 index 00000000..38dc3eb7 --- /dev/null +++ b/fluentd/templates/treasuredata.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ +Suites: {{ ansible_distribution_release }} +Components: contrib +Signed-by: {{ apt_keyring_dir }}/treasuredata.asc +Enabled: yes \ No newline at end of file diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 956892f4..3a855f9c 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -5,18 +5,6 @@ # http://mirrors.jenkins.io/.* # http://jenkins.mirror.isppower.de/.* -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - -- name: Jenkins embedded GPG key is absent - apt_key: - id: "D50582E6" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - - name: Add Jenkins GPG key copy: src: jenkins.asc @@ -26,22 +14,30 @@ owner: root group: root -- name: Add jenkins APT repository +- name: Add Jenkins APT repository (Debian <12) apt_repository: repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/ filename: jenkins update_cache: yes + when: ansible_distribution_major_version is version('12', '<') -- name: Remove unsigned jenkins APT repository - apt_repository: - repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ - filename: jenkins +- name: Add Jenkins repository (Debian >=12) + ansible.builtin.template: + src: jenkins.sources.j2 + dest: /etc/apt/sources.list.d/jenkins.sources + state: present + register: jenkins_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: update_cache: yes - state: absent + when: jenkins_sources is changed - name: Install Jenkins apt: name: jenkins + state: present - name: Change Jenkins port replace: diff --git a/jenkins/templates/jenkins.sources.j2 b/jenkins/templates/jenkins.sources.j2 new file mode 100644 index 00000000..c3578a03 --- /dev/null +++ b/jenkins/templates/jenkins.sources.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://pkg.jenkins-ci.org/debian-stable +Suites: binary/ +Signed-by: {{ apt_keyring_dir }}/jenkins.asc +Enabled: yes \ No newline at end of file diff --git a/kibana/tasks/apt_sources.yml b/kibana/tasks/apt_sources.yml new file mode 100644 index 00000000..d6597c74 --- /dev/null +++ b/kibana/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 341bfd13..176af2d3 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -1,67 +1,17 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - kibana - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - kibana - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - kibana - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - kibana - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - kibana - - packages - -- name: Unsigned Elastic sources list is not available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - kibana - - packages +- name: APT sources + import_tasks: apt_sources.yml + args: + apply: + tags: + - kibana + - packages - name: Kibana is installed apt: name: kibana state: present + update_cache: yes tags: - kibana - packages diff --git a/kibana/templates/elastic.sources.j2 b/kibana/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/kibana/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/logstash/tasks/apt_sources.yml b/logstash/tasks/apt_sources.yml new file mode 100644 index 00000000..d6597c74 --- /dev/null +++ b/logstash/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index d1f4b2da..11b0a0bf 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -1,62 +1,11 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - logstash - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - logstash - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - logstash - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - logstash - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - logstash - - packages - -- name: Unsigned Elastic sources list is not available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - logstash - - packages +- name: APT sources + import_tasks: apt_sources.yml + args: + apply: + tags: + - logstash + - packages - name: Logstash is installed apt: diff --git a/logstash/templates/elastic.sources.j2 b/logstash/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/logstash/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/metricbeat/tasks/apt_sources.yml b/metricbeat/tasks/apt_sources.yml new file mode 100644 index 00000000..d6597c74 --- /dev/null +++ b/metricbeat/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 71d65022..7fc21d09 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -1,62 +1,11 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - metricbeat - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - metricbeat - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - metricbeat - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - metricbeat - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - metricbeat - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - metricbeat - - packages +- name: APT sources + import_tasks: apt_sources.yml + args: + apply: + tags: + - metricbeat + - packages - name: Metricbeat is installed apt: diff --git a/metricbeat/templates/elastic.sources.j2 b/metricbeat/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/metricbeat/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index 3054ccfe..a71651bf 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -1,13 +1,14 @@ --- -- include: main_jessie.yml +- ansible.builtin.import_tasks: main_jessie.yml when: ansible_distribution_release == "jessie" -- include: main_stretch.yml +- ansible.builtin.import_tasks: main_stretch.yml when: ansible_distribution_release == "stretch" -- include: main_buster.yml +- ansible.builtin.import_tasks: main_buster.yml when: ansible_distribution_release == "buster" -- include: main_bullseye.yml - when: ansible_distribution_major_version is version('11', '>=') +- ansible.builtin.import_tasks: main_bullseye.yml + when: ansible_distribution_release == "bullseye" + diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index c17642ea..aa20fb97 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -1,22 +1,10 @@ --- - fail: - msg: Not compatible with Debian 11 (Bullseye) + msg: MongoDB versions <4.2 are not compatible with Debian 11 (Bullseye) when: - ansible_distribution_release == "bullseye" - - mongodb_version is version('5.0', '<') - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - -- name: MongoDB embedded GPG key is absent - apt_key: - id: "B8612B5D" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists + - mongodb_version is version('5.2', '<') - name: Add MongoDB GPG key copy: @@ -27,19 +15,11 @@ owner: root group: root -- name: Enable APT sources list +- name: Add MongoDB repository apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{ mongodb_version }}" - update_cache: yes - -- name: Disable unsigned APT sources list - apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main" - state: absent - filename: "mongodb-org-{{ mongodb_version }}" - update_cache: yes - name: Install packages apt: diff --git a/newrelic/tasks/php.yml b/newrelic/tasks/php.yml index 3bd4d809..5afe937d 100644 --- a/newrelic/tasks/php.yml +++ b/newrelic/tasks/php.yml @@ -1,7 +1,7 @@ --- - name: Pre-seed package configuration with app name - debconf: + ansible.builtin.debconf: name: newrelic-php5 question: "newrelic-php5/application-name" value: "{{ newrelic_appname }}" @@ -9,7 +9,7 @@ when: newrelic_appname | length > 0 - name: Pre-seed package configuration with license - debconf: + ansible.builtin.debconf: name: newrelic-php5 question: "newrelic-php5/license-key" value: "{{ newrelic_license }}" @@ -17,26 +17,27 @@ when: newrelic_license | length > 0 - name: list newrelic config files - shell: "find /etc/php* -type f -name newrelic.ini" + ansible.builtin.shell: + cmd: "find /etc/php* -type f -name newrelic.ini" changed_when: False check_mode: no register: find_newrelic_ini - name: Disable AWS detection - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item }}" regexp: '^;?newrelic.daemon.utilization.detect_aws' line: 'newrelic.daemon.utilization.detect_aws = false' loop: "{{ find_newrelic_ini.stdout_lines }}" - name: Disable Docker detection - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item }}" regexp: '^;?newrelic.daemon.utilization.detect_docker' line: 'newrelic.daemon.utilization.detect_docker = false' loop: "{{ find_newrelic_ini.stdout_lines }}" - name: Install package for PHP - apt: + ansible.builtin.apt: name: newrelic-php5 state: present diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index cda58a85..22473df1 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -1,19 +1,7 @@ --- -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - -- name: NewRelic embedded GPG key is absent - apt_key: - id: "548C16BF" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - - name: Add NewRelic GPG key - copy: + ansible.builtin.copy: src: newrelic.asc dest: "{{ apt_keyring_dir }}/newrelic.asc" force: yes @@ -21,16 +9,23 @@ owner: root group: root -- name: Install NewRelic repository - apt_repository: +- name: Install NewRelic repository (Debian <12) + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/newrelic.asc] http://apt.newrelic.com/debian/ newrelic non-free" state: present filename: newrelic update_cache: yes + when: ansible_distribution_major_version is version('12', '<') -- name: Desinstall unsigned NewRelic repository - apt_repository: - repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" - state: absent - filename: newrelic +- name: Add NewRelic repository (Debian >=12) + ansible.builtin.template: + src: newrelic.sources.j2 + dest: /etc/apt/sources.list.d/newrelic.sources + state: present + register: newrelic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: update_cache: yes + when: newrelic_sources is changed \ No newline at end of file diff --git a/newrelic/tasks/sysmond.yml b/newrelic/tasks/sysmond.yml index e5c5bab9..a6f7fdf6 100644 --- a/newrelic/tasks/sysmond.yml +++ b/newrelic/tasks/sysmond.yml @@ -1,11 +1,11 @@ --- - name: Install system monitor daemon - apt: + ansible.builtin.apt: name: newrelic-sysmond - name: Set license key for newrelic-sysmond - replace: + ansible.builtin.replace: dest: /etc/newrelic/nrsysmond.cfg regexp: "license_key=REPLACE_WITH_REAL_KEY" replace: "license_key={{ newrelic_license }}" diff --git a/newrelic/templates/newrelic.sources.j2 b/newrelic/templates/newrelic.sources.j2 new file mode 100644 index 00000000..85145fc0 --- /dev/null +++ b/newrelic/templates/newrelic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://apt.newrelic.com/debian/ +Suites: newrelic +Components: non-free +Signed-by: {{ apt_keyring_dir }}/newrelic.asc +Enabled: yes \ No newline at end of file diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index 1bd6d38f..f79f058c 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -1,36 +1,17 @@ --- -- name: APT https transport is enabled - apt: +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: name: apt-transport-https state: present tags: - system - packages - nodejs - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - system - - packages - - nodejs - -- name: NodeJS embedded GPG key is absent - apt_key: - id: "68576280" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - system - - packages - - nodejs + when: ansible_distribution_major_version is version('10', '<') - name: NodeJS GPG key is installed - copy: + ansible.builtin.copy: src: nodesource.asc dest: "{{ apt_keyring_dir }}/nodesource.asc" mode: "0644" @@ -41,8 +22,8 @@ - packages - nodejs -- name: NodeJS sources list ({{ nodejs_apt_version }}) is available - apt_repository: +- name: Add NodeJS repository (Debian <12) + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" filename: nodesource update_cache: yes @@ -51,26 +32,32 @@ - system - packages - nodejs + when: ansible_distribution_major_version is version('12', '<') -- name: Unsigned NodeJS sources list ({{ nodejs_apt_version }}) is not available - apt_repository: - repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" - filename: nodesource - update_cache: yes - state: absent +- name: Add NodeJS repository (Debian >=12) + ansible.builtin.template: + src: nodesource.sources.j2 + dest: /etc/apt/sources.list.d/nodesource.sources + state: present + register: nodesource_sources tags: - system - packages - nodejs + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: nodesource_sources is changed - name: NodeJS is installed - apt: + ansible.builtin.apt: name: nodejs state: present - update_cache: yes tags: - packages - nodejs -- include: yarn.yml +- ansible.builtin.import_tasks: yarn.yml when: nodejs_install_yarn | bool diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index 5d585c42..645f8f90 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -1,29 +1,7 @@ --- -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - system - - packages - - nodejs - - yarn - -- name: Yarn embedded GPG key is absent - apt_key: - id: "86E50310" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - system - - packages - - nodejs - - yarn - - name: Yarn GPG key is installed - copy: + ansible.builtin.copy: src: yarn.asc dest: "{{ apt_keyring_dir }}/yarn.asc" mode: "0644" @@ -35,32 +13,39 @@ - nodejs - yarn -- name: Yarn sources list is available - apt_repository: +- name: Add Yarn repository (Debian <12) + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/yarn.asc] https://dl.yarnpkg.com/debian/ stable main" filename: yarn - update_cache: yes state: present tags: - system - packages - nodejs - yarn + when: ansible_distribution_major_version is version('12', '<') -- name: Unsigned Yarn sources list is not available - apt_repository: - repo: "deb https://dl.yarnpkg.com/debian/ stable main" - filename: yarn +- name: Add Yarn repository (Debian >=12) + ansible.builtin.template: + src: yarn.sources.j2 + dest: /etc/apt/sources.list.d/yarn.sources + state: present update_cache: yes - state: absent + register: yarn_sources tags: - system - packages - nodejs - yarn + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: yarn_sources is changed - name: Yarn is installed - apt: + ansible.builtin.apt: name: yarn state: present tags: diff --git a/nodejs/templates/nodesource.sources.j2 b/nodejs/templates/nodesource.sources.j2 new file mode 100644 index 00000000..02a4653a --- /dev/null +++ b/nodejs/templates/nodesource.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://deb.nodesource.com/{{ nodejs_apt_version }} +Suites: {{ ansible_distribution_release }} +Components: main +Signed-by: {{ apt_keyring_dir }}/nodesource.asc +Enabled: yes \ No newline at end of file diff --git a/nodejs/templates/yarn.sources.j2 b/nodejs/templates/yarn.sources.j2 new file mode 100644 index 00000000..cd98bc13 --- /dev/null +++ b/nodejs/templates/yarn.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://dl.yarnpkg.com/debian/ +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/yarn.asc +Enabled: yes diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 0d146555..7f5b6bf4 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -1,12 +1,10 @@ --- -- name: Setup deb.sury.org repository - Add GPG key - copy: - src: sury.gpg - dest: "{{ apt_keyring_dir }}/sury.gpg" - mode: "0644" - owner: root - group: root +- name: Setup deb.sury.org repository - Install apt-transport-https + apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') - name: copy pub.evolix.org GPG key copy: @@ -16,18 +14,6 @@ owner: root group: root -- name: Setup deb.sury.org repository - Install apt-transport-https - apt: - state: present - name: apt-transport-https - -- name: Setup deb.sury.org repository - Add preferences file - copy: - src: sury.preferences - dest: /etc/apt/preferences.d/z-sury - when: - - ansible_distribution_release != "bullseye" - - name: Setup pub.evolix.org repository - Add source list apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php81 main" @@ -36,17 +22,41 @@ when: - ansible_distribution_release == "bullseye" -- name: Setup deb.sury.org repository - Add source list +- name: Setup deb.sury.org repository - Add preferences file + copy: + src: sury.preferences + dest: /etc/apt/preferences.d/z-sury + when: + - ansible_distribution_release != "bullseye" + +- name: Setup deb.sury.org repository - Add GPG key + copy: + src: sury.gpg + dest: "{{ apt_keyring_dir }}/sury.gpg" + mode: "0644" + owner: root + group: root + +- name: Add Sury repository (Debian <12) apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main" filename: sury state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') -- name: Setup deb.sury.org repository - Remove unsigned source list - apt_repository: - repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" - filename: sury - state: absent +- name: Add Sury repository (Debian >=12) + ansible.builtin.template: + src: sury.sources.j2 + dest: /etc/apt/sources.list.d/sury.sources + state: present + register: sury_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: sury_sources is changed - name: "Override package list for Sury (Debian 9 or later)" set_fact: diff --git a/php/templates/sury.sources.j2 b/php/templates/sury.sources.j2 new file mode 100644 index 00000000..7d8a95c5 --- /dev/null +++ b/php/templates/sury.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://packages.sury.org/php/ +Suites: {{ ansible_distribution_release }} +Components: main +Signed-by: {{ apt_keyring_dir }}/sury.gpg +Enabled: yes \ No newline at end of file diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml index 1783a763..14d9f9eb 100644 --- a/postgresql/tasks/main.yml +++ b/postgresql/tasks/main.yml @@ -1,25 +1,28 @@ --- -- include: locales.yml +- ansible.builtin.import_tasks: locales.yml -- include: packages_jessie.yml +- ansible.builtin.import_tasks: packages_jessie.yml when: ansible_distribution_release == "jessie" -- include: packages_stretch.yml +- ansible.builtin.import_tasks: packages_stretch.yml when: ansible_distribution_release == "stretch" -- include: packages_buster.yml +- ansible.builtin.import_tasks: packages_buster.yml when: ansible_distribution_release == "buster" -- include: packages_bullseye.yml - when: ansible_distribution_major_version is version('11', '>=') +- ansible.builtin.import_tasks: packages_bullseye.yml + when: ansible_distribution_release == "bullseye" -- include: config.yml +- ansible.builtin.import_tasks: packages_bookworm.yml + when: ansible_distribution_release == "bookworm" -- include: nrpe.yml +- ansible.builtin.import_tasks: config.yml -- include: munin.yml +- ansible.builtin.import_tasks: nrpe.yml -- include: logrotate.yml +- ansible.builtin.import_tasks: munin.yml -- include: postgis.yml +- ansible.builtin.import_tasks: logrotate.yml + +- ansible.builtin.import_tasks: postgis.yml when: postgresql_install_postgis | bool diff --git a/postgresql/tasks/packages_bookworm.yml b/postgresql/tasks/packages_bookworm.yml index 8db31b9b..c2088c39 100644 --- a/postgresql/tasks/packages_bookworm.yml +++ b/postgresql/tasks/packages_bookworm.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 12)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '15' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.import_tasks: pgdg-repo.yml when: postgresql_version != '15' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - pgtop diff --git a/postgresql/tasks/packages_bullseye.yml b/postgresql/tasks/packages_bullseye.yml index e825b799..bfbac181 100644 --- a/postgresql/tasks/packages_bullseye.yml +++ b/postgresql/tasks/packages_bullseye.yml @@ -14,3 +14,4 @@ - "postgresql-{{ postgresql_version }}" - pgtop - libdbd-pg-perl + update_cache: yes diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 7ecf11be..3e8851fb 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -14,3 +14,4 @@ - "postgresql-{{ postgresql_version }}" - pgtop - libdbd-pg-perl + update_cache: yes diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index 60bb2247..70b5e181 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -10,8 +10,8 @@ - name: Install postgresql package apt: - name: '{{ item }}' - loop: - - "postgresql-{{ postgresql_version }}" - - ptop - - libdbd-pg-perl + name: + - "postgresql-{{ postgresql_version }}" + - ptop + - libdbd-pg-perl + update_cache: yes diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index 45b8840c..97a71952 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -14,3 +14,4 @@ - "postgresql-{{ postgresql_version }}" - ptop - libdbd-pg-perl + update_cache: yes diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index ef467f97..9db20921 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -8,18 +8,6 @@ - meta: flush_handlers -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - -- name: PGDG embedded GPG key is absent - apt_key: - id: "ACCC4CF8" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - - name: Add PGDG GPG key copy: src: postgresql.asc @@ -29,16 +17,25 @@ owner: root group: root -- name: Add PGDG repository +- name: Add PGDG repository (Debian <12) apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" + filename: postgresql update_cache: yes + when: ansible_distribution_major_version is version('12', '<') -- name: Remove unsigned PGDG repository - apt_repository: - repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" +- name: Add PGDG repository (Debian >=12) + ansible.builtin.template: + src: postgresql.sources.j2 + dest: /etc/apt/sources.list.d/postgresql.sources + state: present + register: postgresql_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: update_cache: yes - state: absent + when: elastic_sources is changed - name: Add APT preference file template: diff --git a/postgresql/tasks/postgis.yml b/postgresql/tasks/postgis.yml index f2300943..dbd511e9 100644 --- a/postgresql/tasks/postgis.yml +++ b/postgresql/tasks/postgis.yml @@ -5,3 +5,4 @@ - postgis - "postgresql-{{ postgresql_version }}-postgis-2.5" - "postgresql-{{ postgresql_version }}-postgis-2.5-scripts" + update_cache: yes diff --git a/postgresql/templates/postgresql.sources.j2 b/postgresql/templates/postgresql.sources.j2 new file mode 100644 index 00000000..38284d20 --- /dev/null +++ b/postgresql/templates/postgresql.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://apt.postgresql.org/pub/repos/apt/ +Suites: {{ ansible_distribution_release }}-pgdg +Components: main +Signed-by: {{ apt_keyring_dir }}/postgresql.asc +Enabled: yes \ No newline at end of file From efd6e8d6b3b9023c5a411a847af37bda76ff47bc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:45:44 +0100 Subject: [PATCH 13/45] apt: add wrapper tasks files for backward compatibility --- apt/tasks/backports.yml | 13 +++++++++++++ apt/tasks/basics.yml | 13 +++++++++++++ apt/tasks/evolix_public.yml | 13 +++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 apt/tasks/backports.yml create mode 100644 apt/tasks/basics.yml create mode 100644 apt/tasks/evolix_public.yml diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml new file mode 100644 index 00000000..205574e5 --- /dev/null +++ b/apt/tasks/backports.yml @@ -0,0 +1,13 @@ +--- + +# Backward compatibility task file + +- name: Install backports repositories (Debian <12) + import_tasks: backports.oneline.yml + when: + - ansible_distribution_major_version is version('12', '<') + +- name: Install backports repositories (Debian >=12) + import_tasks: backports.deb822.yml + when: + - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml new file mode 100644 index 00000000..7966c849 --- /dev/null +++ b/apt/tasks/basics.yml @@ -0,0 +1,13 @@ +--- + +# Backward compatibility task file + +- name: Install basics repositories (Debian <12) + import_tasks: basics.oneline.yml + when: + - ansible_distribution_major_version is version('12', '<') + +- name: Install basics repositories (Debian >=12) + import_tasks: basics.deb822.yml + when: + - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml new file mode 100644 index 00000000..6d0a2de4 --- /dev/null +++ b/apt/tasks/evolix_public.yml @@ -0,0 +1,13 @@ +--- + +# Backward compatibility task file + +- name: Install Evolix Public repositories (Debian <12) + import_tasks: evolix_public.oneline.yml + when: + - ansible_distribution_major_version is version('12', '<') + +- name: Install Evolix Public repositories (Debian >=12) + import_tasks: evolix_public.deb822.yml + when: + - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file From 16aabbe091802d00ee740d66960a693471a1791d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:46:15 +0100 Subject: [PATCH 14/45] fluentd: deb922 sources --- fluentd/tasks/main.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 21b432f3..fa9a0470 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -15,8 +15,9 @@ - name: Add Treasuredata repository (Debian <12) apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/treasuredata.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" - filename: treasuredata.list + filename: treasuredata state: present + update_cache: yes tags: - packages - fluentd @@ -27,16 +28,21 @@ src: treasuredata.sources.j2 dest: /etc/apt/sources.list.d/treasuredata.sources state: present + register: treasuredata_sources tags: - packages - fluentd when: ansible_distribution_major_version is version('12', '>=') +- name: Update APT cache + apt: + update_cache: yes + when: treasuredata_sources is changed + - name: Fluentd is installed. apt: name: td-agent state: present - update_cache: yes tags: - fluentd - packages From 09d3f606cd4478e0e036f03c383ce36addda6c01 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:47:09 +0100 Subject: [PATCH 15/45] lxc-php: lxc dependency is resolved manually --- lxc-php/meta/main.yml | 6 +----- lxc-php/tasks/main.yml | 8 ++++++++ 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/lxc-php/meta/main.yml b/lxc-php/meta/main.yml index 58c2298c..88d4c6e9 100644 --- a/lxc-php/meta/main.yml +++ b/lxc-php/meta/main.yml @@ -27,8 +27,4 @@ galaxy_info: allow_duplicates: yes -dependencies: - - { role: evolix/lxc, - lxc_containers: [ { name: "{{ lxc_php_version }}", release: "{{ lxc_php_container_releases[lxc_php_version] }}" } ], - when: lxc_php_version is defined - } +dependencies: [] diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index d967287d..9862e523 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -4,6 +4,14 @@ msg: Please configure var lxc_php_version when: lxc_php_version is none + +- include_role: + name: evolix/lxc + vars: + lxc_containers: + - { name: "{{ lxc_php_version }}", release: "{{ lxc_php_container_releases[lxc_php_version] }}" } + when: lxc_php_version is defined + - name: "Update APT cache in container {{ lxc_php_version }}" lxc_container: name: "{{ lxc_php_version }}" From 1d03e73a62de116490d2e455a4010b6d6bb227d8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:50:58 +0100 Subject: [PATCH 16/45] lxc-php: extract variables --- lxc-php/tasks/mail_opensmtpd.yml | 4 ++-- lxc-php/tasks/mail_ssmtp.yml | 2 +- lxc-php/tasks/main.yml | 4 ++++ lxc-php/tasks/misc.yml | 6 +++--- lxc-php/tasks/php56.yml | 4 ++-- lxc-php/tasks/php70.yml | 4 ++-- lxc-php/tasks/php73.yml | 4 ++-- lxc-php/tasks/php74.yml | 6 +++--- lxc-php/tasks/php80.yml | 23 ++++++++++++++--------- lxc-php/tasks/php81.yml | 22 +++++++++++++--------- lxc-php/tasks/umask.yml | 6 +----- 11 files changed, 47 insertions(+), 38 deletions(-) diff --git a/lxc-php/tasks/mail_opensmtpd.yml b/lxc-php/tasks/mail_opensmtpd.yml index 25dec9ea..02f36728 100644 --- a/lxc-php/tasks/mail_opensmtpd.yml +++ b/lxc-php/tasks/mail_opensmtpd.yml @@ -8,7 +8,7 @@ - name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" template: src: smtpd.conf.j2 - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/smtpd.conf" + dest: "{{ lxc_rootfs }}/etc/smtpd.conf" mode: "0644" notify: "Restart opensmtpd" when: lxc_php_container_releases[lxc_php_version] in ["jessie", "stretch", "buster"] @@ -17,7 +17,7 @@ - name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" template: src: smtpd.conf.bullseye.j2 - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/smtpd.conf" + dest: "{{ lxc_rootfs }}/etc/smtpd.conf" mode: "0644" notify: "Restart opensmtpd" when: not lxc_php_container_releases[lxc_php_version] in ["jessie", "stretch", "buster"] diff --git a/lxc-php/tasks/mail_ssmtp.yml b/lxc-php/tasks/mail_ssmtp.yml index 95055044..f14cfe57 100644 --- a/lxc-php/tasks/mail_ssmtp.yml +++ b/lxc-php/tasks/mail_ssmtp.yml @@ -8,5 +8,5 @@ - name: "{{ lxc_php_version }} - Configure ssmtp" template: src: ssmtp.conf.j2 - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/ssmtp/ssmtp.conf" + dest: "{{ lxc_rootfs }}/etc/ssmtp/ssmtp.conf" mode: "0644" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index 9862e523..bd2ae182 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -12,6 +12,10 @@ - { name: "{{ lxc_php_version }}", release: "{{ lxc_php_container_releases[lxc_php_version] }}" } when: lxc_php_version is defined +- name: set LXC rootfs + ansible.builtin.set_fact: + lxc_rootfs: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + - name: "Update APT cache in container {{ lxc_php_version }}" lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index c5aa5245..22598ee0 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -4,18 +4,18 @@ copy: remote_src: yes src: "/etc/timezone" - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/timezone" + dest: "{{ lxc_rootfs }}/etc/timezone" - name: "{{ lxc_php_version }} - Ensure container's root directory is 755" file: - path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + path: "{{ lxc_rootfs }}" state: directory mode: '0755' - name: "{{ lxc_php_version }} - Configure mailname for the container" copy: content: "{{ evolinux_hostname }}.{{ evolinux_domain }}\n" - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/mailname" + dest: "{{ lxc_rootfs }}/etc/mailname" notify: "Restart opensmtpd" - name: "{{ lxc_php_version }} - Install misc packages" diff --git a/lxc-php/tasks/php56.yml b/lxc-php/tasks/php56.yml index ece7dc8d..b0f376d8 100644 --- a/lxc-php/tasks/php56.yml +++ b/lxc-php/tasks/php56.yml @@ -12,8 +12,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php5/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php5/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php5/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php5/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php70.yml b/lxc-php/tasks/php70.yml index 2291b386..18523846 100644 --- a/lxc-php/tasks/php70.yml +++ b/lxc-php/tasks/php70.yml @@ -12,8 +12,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php73.yml b/lxc-php/tasks/php73.yml index d7fd7937..4bb037e7 100644 --- a/lxc-php/tasks/php73.yml +++ b/lxc-php/tasks/php73.yml @@ -12,8 +12,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 64677009..65660f92 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -7,7 +7,7 @@ - name: "{{ lxc_php_version }} - fix bullseye repository" replace: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' @@ -18,8 +18,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 4e5ac498..0e9d29a6 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -1,31 +1,36 @@ --- +- name: set APT keyring + ansible.builtin.set_fact: + lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d + + - name: "{{ lxc_php_version }} - Install dependency packages" lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" - name: "{{ lxc_php_version }} - fix bullseye repository" replace: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list.d/sury.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" line: "{{ item }}" state: present create: yes mode: "0644" loop: - - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" - - "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main" + - "deb [signed-by={{ lxc_apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main" - name: copy pub.evolix.net GPG key copy: src: pub_evolix.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" mode: "0644" owner: root group: root @@ -33,7 +38,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/sury.gpg" mode: "0644" owner: root group: root @@ -55,8 +60,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.0/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.0/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.0/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.0/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 677fe14d..966a2880 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -1,31 +1,35 @@ --- +- name: set APT keyring + ansible.builtin.set_fact: + lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d + - name: "{{ lxc_php_version }} - Install dependency packages" lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" - name: "{{ lxc_php_version }} - fix bullseye repository" replace: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list.d/sury.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" line: "{{ item }}" state: present create: yes mode: "0644" loop: - - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" - - "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main" + - "deb [signed-by={{ lxc_apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main" - name: copy pub.evolix.net GPG key copy: src: pub_evolix.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" mode: "0644" owner: root group: root @@ -33,7 +37,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/sury.gpg" mode: "0644" owner: root group: root @@ -55,8 +59,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.1/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.1/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.1/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.1/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 4460d587..254fd75e 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -2,13 +2,9 @@ # dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf --- -- name: "Définis le chemin du système de fichiers du conteneur LXC." - set_fact: - lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" - - name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." ansible.builtin.file: - path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" + path: "{{ lxc_rootfs }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" state: directory register: systemd_path From f8f5bec8b5f672ee09d134b41d3cea583c6c9793 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:52:09 +0100 Subject: [PATCH 17/45] lxc-php: prepare php82 --- lxc-php/defaults/main.yml | 2 ++ lxc-php/tasks/main.yml | 23 +++++++++++++---------- lxc-php/tasks/php82.yml | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 10 deletions(-) create mode 100644 lxc-php/tasks/php82.yml diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 9b501b6c..d27f60f2 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -21,6 +21,7 @@ lxc_php_container_releases: php74: "bullseye" php80: "bullseye" php81: "bullseye" + # php82: "bookworm" lxc_php_services: php56: 'php5-fpm.service' @@ -29,5 +30,6 @@ lxc_php_services: php74: 'php7.4-fpm.service' php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' + # php82: 'php8.2-fpm.service' apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index bd2ae182..a1e91431 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: "Ensure that lxc_php_version is defined" - fail: + ansible.builtin.fail: msg: Please configure var lxc_php_version when: lxc_php_version is none @@ -17,28 +17,31 @@ lxc_rootfs: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" - name: "Update APT cache in container {{ lxc_php_version }}" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "apt-get update" -- include: "php56.yml" +- ansible.builtin.import_tasks: "php56.yml" when: lxc_php_version == "php56" -- include: "php70.yml" +- ansible.builtin.import_tasks: "php70.yml" when: lxc_php_version == "php70" -- include: "php73.yml" +- ansible.builtin.import_tasks: "php73.yml" when: lxc_php_version == "php73" -- include: "php74.yml" +- ansible.builtin.import_tasks: "php74.yml" when: lxc_php_version == "php74" -- include: "php80.yml" +- ansible.builtin.import_tasks: "php80.yml" when: lxc_php_version == "php80" -- include: "php81.yml" +- ansible.builtin.import_tasks: "php81.yml" when: lxc_php_version == "php81" -- include: "umask.yml" +# - ansible.builtin.import_tasks: "php82.yml" +# when: lxc_php_version == "php82" -- include: "misc.yml" +- ansible.builtin.import_tasks: "umask.yml" + +- ansible.builtin.import_tasks: "misc.yml" diff --git a/lxc-php/tasks/php82.yml b/lxc-php/tasks/php82.yml new file mode 100644 index 00000000..8ecb1e33 --- /dev/null +++ b/lxc-php/tasks/php82.yml @@ -0,0 +1,32 @@ +--- + +- name: set APT keyring + ansible.builtin.set_fact: + lxc_apt_keyring_dir: /etc/apt/keyrings + +- name: "{{ lxc_php_version }} - Install PHP packages" + lxc_container: + name: "{{ lxc_php_version }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" + +# TODO : adapt to Bookworm and deb822 format + +- name: "{{ lxc_php_version }} - fix bookworm repository" + replace: + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" + regexp: 'bullseye/updates' + replace: 'bullseye-security' + +- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" + template: + src: z-evolinux-defaults.ini.j2 + dest: "{{ line_item }}" + mode: "0644" + notify: "Reload {{ lxc_php_version }}-fpm" + loop: + - "{{ lxc_rootfs }}/etc/php/8.2/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.2/cli/conf.d/z-evolinux-defaults.ini" + loop_control: + loop_var: line_item + +- include: "mail_opensmtpd.yml" From a0986f034d3760dc7d8bc60a5c65c3604db75fb9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:52:34 +0100 Subject: [PATCH 18/45] mongodb: prepare Debian 12 --- mongodb/tasks/main.yml | 2 + mongodb/tasks/main_bookworm.yml | 103 +++++++++++++++++++++++++++ mongodb/templates/mongodb.sources.j2 | 8 +++ 3 files changed, 113 insertions(+) create mode 100644 mongodb/tasks/main_bookworm.yml create mode 100644 mongodb/templates/mongodb.sources.j2 diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index a71651bf..e8bf2cfc 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -12,3 +12,5 @@ - ansible.builtin.import_tasks: main_bullseye.yml when: ansible_distribution_release == "bullseye" +- ansible.builtin.import_tasks: main_bookworm.yml + when: ansible_distribution_release == "bookworm" diff --git a/mongodb/tasks/main_bookworm.yml b/mongodb/tasks/main_bookworm.yml new file mode 100644 index 00000000..19bb513b --- /dev/null +++ b/mongodb/tasks/main_bookworm.yml @@ -0,0 +1,103 @@ +--- + +- fail: + msg: MongoDB is not compatible with Debian 12 (Bookworm) + when: + - ansible_distribution_release == "bookworm" + +# - fail: +# msg: MongoDB version <5 are not compatible with Debian 12 (Bookworm) +# when: +# - ansible_distribution_release == "bookworm" +# - mongodb_version is version('5.0', '<') + +- name: Add MongoDB repository + ansible.builtin.template: + src: mongodb.sources.j2 + dest: /etc/apt/sources.list.d/mongodb.sources + state: present + register: mongodb_sources + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: mongodb_sources is changed + +- name: Install packages + ansible.builtin.apt: + name: mongodb-org + state: present + register: _mongodb_install_package + +- name: MongoDB service in enabled and started + systemd: + name: mongod + enabled: yes + state: started + when: _mongodb_install_package is changed + +- name: install dependency for monitoring + apt: + name: python3-pymongo + state: present + +- name: Custom configuration + template: + src: mongodb_bullseye.conf.j2 + dest: "/etc/mongod.conf" + force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" + notify: restart mongod + +- name: Configure logrotate + template: + src: logrotate_bullseye.j2 + dest: /etc/logrotate.d/mongodb + force: yes + backup: no + +- include_role: + name: evolix/remount-usr + +- name: Create plugin directory + file: + name: /usr/local/share/munin/ + state: directory + mode: "0755" + +- name: Create plugin directory + file: + name: /usr/local/share/munin/plugins/ + state: directory + mode: "0755" + +- name: Munin plugins are present + copy: + src: "munin/{{ item }}" + dest: '/usr/local/share/munin/plugins/{{ item }}' + force: yes + loop: + - mongo_btree + - mongo_collections + - mongo_conn + - mongo_docs + - mongo_lock + - mongo_mem + - mongo_ops + - mongo_page_faults + notify: restart munin-node + +- name: Enable core Munin plugins + file: + src: '/usr/local/share/munin/plugins/{{ item }}' + dest: /etc/munin/plugins/{{ item }} + state: link + loop: + - mongo_btree + - mongo_collections + - mongo_conn + - mongo_docs + - mongo_lock + - mongo_mem + - mongo_ops + - mongo_page_faults + notify: restart munin-node diff --git a/mongodb/templates/mongodb.sources.j2 b/mongodb/templates/mongodb.sources.j2 new file mode 100644 index 00000000..ab55d938 --- /dev/null +++ b/mongodb/templates/mongodb.sources.j2 @@ -0,0 +1,8 @@ +# {{ansible_managed }} + +Types: deb +URIs: http://repo.mongodb.org/apt/debian +Suites: bookworm/mongodb-org/{{ mongodb_version }} +Components: main +Signed-by: {{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc +Enabled: yes \ No newline at end of file From 151e6914a8624739504b3aa4d8aa05fe36386a5e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:52:55 +0100 Subject: [PATCH 19/45] mysql: fixes for Debian 12 --- mysql/tasks/main.yml | 9 +++++++++ mysql/tasks/utils.yml | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index 95cde4a1..2a24c69f 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -4,6 +4,15 @@ set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" +- name: Default log directory is present + file: + path: /var/log/mysql + owner: mysql + group: adm + mode: "2750" + state: directory + when: ansible_distribution_major_version is version('12', '>=') + - include_tasks: packages_stretch.yml when: ansible_distribution_major_version is version('9', '>=') diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 8adbb1be..306ccd00 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -55,11 +55,11 @@ - name: "Install dependencies for mytop (Debian 12 or later)" apt: name: - - mariadb-client-10.6 + - mariadb-client - libconfig-inifiles-perl - libterm-readkey-perl - libdbd-mariadb-perl - when: ansible_distribution_major_version is version('12', '=') + when: ansible_distribution_major_version is version('12', '>=') - name: Read debian-sys-maint password (Debian < 11) shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' From 247a89e928898431232fd64a502d68e77a456bcf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:53:14 +0100 Subject: [PATCH 20/45] syntax --- php/tasks/main_buster.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 24673378..58fda84e 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -1,14 +1,14 @@ --- - debug: - msg: "{{ php_sury_enable }}" + var: php_sury_enable - name: "Set php version to 7.3 if Sury repo is not enabled" set_fact: php_version: "7.3" - when: - - php_sury_enable == false check_mode: no + when: + - not (php_sury_enable | bool) - name: "Set variables (Debian 10)" set_fact: From 1d3866e3f0efec1fee1f67be8d52e16df0bcd5b6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:53:39 +0100 Subject: [PATCH 21/45] packweb-apache: include_role instead of import_role --- packweb-apache/tasks/dependencies.yml | 28 +++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/packweb-apache/tasks/dependencies.yml b/packweb-apache/tasks/dependencies.yml index 0182654c..c22d4e0b 100644 --- a/packweb-apache/tasks/dependencies.yml +++ b/packweb-apache/tasks/dependencies.yml @@ -1,80 +1,80 @@ --- -- import_role: +- include_role: name: evolix/apache -- import_role: +- include_role: name: evolix/php vars: php_apache_enable: True when: packweb_apache_modphp -- import_role: +- include_role: name: evolix/php vars: php_fpm_enable: True when: packweb_apache_fpm -- import_role: +- include_role: name: evolix/squid vars: squid_localproxy_enable: True -- import_role: +- include_role: name: evolix/mysql when: packweb_mysql_variant == "debian" -- import_role: +- include_role: name: evolix/mysql-oracle when: packweb_mysql_variant == "oracle" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php56 lxc_php_create_mysql_link: True when: "'php56' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php70 lxc_php_create_mysql_link: True when: "'php70' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php73 lxc_php_create_mysql_link: True when: "'php73' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php74 lxc_php_create_mysql_link: True when: "'php74' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php80 lxc_php_create_mysql_link: True when: "'php80' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php81 lxc_php_create_mysql_link: True when: "'php81' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/webapps/evoadmin-web vars: evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" -- import_role: +- include_role: name: evolix/evoacme \ No newline at end of file From 7a73df6bd75c914f7f90e200c28c57dbbd7661b5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Mar 2023 21:33:49 +0100 Subject: [PATCH 22/45] Comments on Dell RAID controllers --- evolinux-base/tasks/hardware.dell.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml index aa448147..6e1673a6 100644 --- a/evolinux-base/tasks/hardware.dell.yml +++ b/evolinux-base/tasks/hardware.dell.yml @@ -1,6 +1,9 @@ --- -## LSI MegaRAID 12GSAS/PCIe Secure SAS39xx +## H745: Broadcom / LSI MegaRAID Tri-Mode SAS3516 (rev 01) +# This is OK + +## H750: Broadcom / LSI MegaRAID 12GSAS/PCIe Secure SAS39xx # This is still incompatible with Debian - name: Check if PERC HBA11 device is present From ee21973371462839a455dc109cb34970c4b55def Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Mar 2023 23:33:19 +0100 Subject: [PATCH 23/45] Use FQCN Fully Qualified Collection Name --- amavis/handlers/main.yml | 2 +- amavis/tasks/main.yml | 4 +- amazon-ec2/amazon-ec2-evolinux.yml | 6 +- amazon-ec2/tasks/create-instance.yml | 8 +- amazon-ec2/tasks/post-install.yml | 2 +- amazon-ec2/tasks/setup.yml | 4 +- apache/handlers/main.yml | 6 +- apache/tasks/auth.yml | 12 +-- apache/tasks/ip_whitelist.yml | 4 +- apache/tasks/log2mail.yml | 4 +- apache/tasks/main.yml | 46 +++++----- apache/tasks/munin.yml | 11 +-- apache/tasks/server_status.yml | 26 +++--- apt/tasks/backports.deb822.yml | 6 +- apt/tasks/backports.oneline.yml | 10 +-- apt/tasks/backports.yml | 4 +- apt/tasks/basics.deb822.yml | 9 +- apt/tasks/basics.oneline.yml | 4 +- apt/tasks/basics.yml | 4 +- apt/tasks/config.yml | 6 +- apt/tasks/evolix_public.deb822.yml | 10 +-- apt/tasks/evolix_public.oneline.yml | 10 +-- apt/tasks/evolix_public.yml | 4 +- apt/tasks/hold_packages.yml | 25 +++--- apt/tasks/main.yml | 28 +++--- apt/tasks/migrate-to-deb822.yml | 9 +- apt/tasks/move-apt-keyring.yml | 13 +-- bind/handlers/main.yml | 8 +- bind/tasks/authoritative.yml | 2 +- bind/tasks/main.yml | 32 +++---- bind/tasks/munin.yml | 22 ++--- bind/tasks/recursive.yml | 4 +- bookworm-detect/tasks/main.yml | 4 +- bullseye-detect/tasks/main.yml | 2 +- certbot/handlers/main.yml | 11 +-- certbot/tasks/acme-challenge.yml | 17 ++-- certbot/tasks/install-legacy.yml | 19 ++-- certbot/tasks/install-package.yml | 2 +- certbot/tasks/main.yml | 19 ++-- clamav/handlers/main.yml | 2 +- clamav/tasks/main.yml | 10 +-- dhcpd/handlers/main.yml | 2 +- dhcpd/tasks/main.yml | 2 +- docker-host/handlers/main.yml | 4 +- dovecot/handlers/main.yml | 6 +- dovecot/tasks/main.yml | 24 ++--- dovecot/tasks/munin.yml | 6 +- drbd/handlers/main.yml | 2 +- drbd/tasks/main.yml | 6 +- drbd/tasks/munin.yml | 6 +- drbd/tasks/nagios.yml | 6 +- drbd/tasks/packages.yml | 4 +- elasticsearch/handlers/main.yml | 2 +- elasticsearch/tasks/additional_scripts.yml | 6 +- elasticsearch/tasks/bootstrap_checks.yml | 11 +-- elasticsearch/tasks/configuration.yml | 30 +++---- elasticsearch/tasks/curator.yml | 6 +- elasticsearch/tasks/datadir.yml | 13 +-- elasticsearch/tasks/logs.yml | 6 +- elasticsearch/tasks/main.yml | 18 ++-- elasticsearch/tasks/plugin_head.yml | 16 ++-- elasticsearch/tasks/tmpdir.yml | 13 +-- etc-git/tasks/commit.yml | 3 +- etc-git/tasks/lxc_commit.yml | 8 +- etc-git/tasks/main.yml | 6 +- etc-git/tasks/repositories.yml | 8 +- etc-git/tasks/repository.yml | 19 ++-- etc-git/tasks/utils.yml | 22 ++--- evoacme/handlers/main.yml | 14 +-- evoacme/tasks/certbot.yml | 14 +-- evoacme/tasks/conf.yml | 6 +- evoacme/tasks/evoacme_hook.yml | 7 +- evoacme/tasks/main.yml | 10 +-- evoacme/tasks/permissions.yml | 8 +- evoacme/tasks/scripts.yml | 12 +-- evobackup-client/handlers/main.yml | 9 +- evobackup-client/tasks/jail.yml | 17 ++-- evobackup-client/tasks/main.yml | 10 +-- evobackup-client/tasks/open_ssh_ports.yml | 4 +- evobackup-client/tasks/ssh_key.yml | 6 +- evobackup-client/tasks/upload_scripts.yml | 2 +- evobackup-client/tasks/verify_ssh.yml | 2 +- evocheck/tasks/cron.yml | 6 +- evocheck/tasks/exec.yml | 5 +- evocheck/tasks/install.yml | 14 +-- evocheck/tasks/main.yml | 4 +- evolinux-base/handlers/main.yml | 38 ++++---- evolinux-base/tasks/etc-evolinux.yml | 2 +- evolinux-base/tasks/hardware.dell.yml | 5 +- evolinux-base/tasks/hardware.yml | 4 +- evolinux-base/tasks/main.yml | 58 ++++++------ evolinux-base/tasks/system.yml | 4 +- evolinux-base/tasks/utils.yml | 4 +- evolinux-todo/tasks/cat.yml | 5 +- evolinux-todo/tasks/main.yml | 4 +- evolinux-users/handlers/main.yml | 5 +- evolinux-users/tasks/main.yml | 10 +-- evolinux-users/tasks/ssh.yml | 26 +++--- evolinux-users/tasks/ssh_allowgroups.yml | 7 +- evolinux-users/tasks/ssh_allowusers.yml | 14 +-- evolinux-users/tasks/sudo.yml | 8 +- evolinux-users/tasks/sudo_jessie.yml | 4 +- evolinux-users/tasks/sudo_stretch_common.yml | 7 +- evolinux-users/tasks/sudo_stretch_user.yml | 4 +- evolinux-users/tasks/user.yml | 50 ++++++----- evomaintenance/handlers/main.yml | 5 +- evomaintenance/tasks/config.yml | 4 +- .../tasks/install_package_debian.yml | 4 +- .../tasks/install_vendor_debian.yml | 10 +-- evomaintenance/tasks/install_vendor_other.yml | 6 +- evomaintenance/tasks/main.yml | 10 +-- evomaintenance/tasks/minifirewall.yml | 11 +-- evomaintenance/tasks/trap.yml | 8 +- fail2ban/handlers/main.yml | 4 +- fail2ban/tasks/fix-dbpurgeage.yml | 9 +- fail2ban/tasks/ip_whitelist.yml | 4 +- fail2ban/tasks/main.yml | 22 ++--- filebeat/handlers/main.yml | 2 +- filebeat/tasks/apt_sources.yml | 2 +- filebeat/tasks/main.yml | 29 +++--- fluentd/handlers/main.yml | 4 +- fluentd/tasks/main.yml | 14 +-- generate-ldif/tasks/exec.yml | 5 +- generate-ldif/tasks/main.yml | 4 +- haproxy/handlers/main.yml | 6 +- haproxy/tasks/main.yml | 29 +++--- haproxy/tasks/munin.yml | 6 +- haproxy/tasks/packages_backports.yml | 12 +-- java/tasks/main.yml | 4 +- java/tasks/openjdk.yml | 10 +-- java/tasks/oracle.yml | 15 ++-- jenkins/handlers/main.yml | 6 +- jenkins/tasks/main.yml | 10 +-- keepalived/handlers/main.yml | 4 +- keepalived/tasks/main.yml | 12 +-- kibana/handlers/main.yml | 2 +- kibana/tasks/apt_sources.yml | 2 +- kibana/tasks/main.yml | 18 ++-- kibana/tasks/proxy_nginx.yml | 4 +- kvm-host/handlers/main.yml | 2 +- kvm-host/tasks/images.yml | 10 +-- kvm-host/tasks/main.yml | 12 +-- kvm-host/tasks/munin.yml | 12 +-- kvm-host/tasks/packages.yml | 4 +- kvm-host/tasks/ssh.yml | 11 +-- kvm-host/tasks/tools.yml | 18 ++-- ldap/handlers/main.yml | 2 +- ldap/tasks/init.yml | 15 ++-- ldap/tasks/ldapvirc.yml | 21 +++-- ldap/tasks/main.yml | 10 +-- ldap/tasks/nagios.yml | 20 +++-- listupgrade/tasks/main.yml | 18 ++-- logstash/handlers/main.yml | 4 +- logstash/tasks/apt_sources.yml | 2 +- logstash/tasks/logs.yml | 10 +-- logstash/tasks/main.yml | 18 ++-- logstash/tasks/tmpdir.yml | 9 +- lxc-php/handlers/main.yml | 22 ++--- lxc-php/tasks/mail_opensmtpd.yml | 6 +- lxc-php/tasks/mail_ssmtp.yml | 4 +- lxc-php/tasks/main.yml | 2 +- lxc-php/tasks/misc.yml | 10 +-- lxc-php/tasks/php56.yml | 6 +- lxc-php/tasks/php70.yml | 6 +- lxc-php/tasks/php73.yml | 6 +- lxc-php/tasks/php74.yml | 8 +- lxc-php/tasks/php80.yml | 18 ++-- lxc-php/tasks/php81.yml | 18 ++-- lxc-php/tasks/php82.yml | 8 +- lxc-solr/tasks/main.yml | 6 +- lxc-solr/tasks/solr.yml | 16 ++-- lxc/tasks/create-container.yml | 19 ++-- lxc/tasks/main.yml | 23 ++--- memcached/handlers/main.yml | 6 +- memcached/tasks/instance-default.yml | 4 +- memcached/tasks/instance-multi.yml | 10 +-- memcached/tasks/main.yml | 10 +-- memcached/tasks/munin.yml | 8 +- memcached/tasks/nrpe.yml | 14 +-- memcached/tasks/phpmemcachedadmin.yml | 6 +- metricbeat/handlers/main.yml | 2 +- metricbeat/tasks/apt_sources.yml | 2 +- metricbeat/tasks/main.yml | 20 ++--- minifirewall/handlers/main.yml | 10 ++- minifirewall/tasks/activate.yml | 8 +- minifirewall/tasks/config.legacy.yml | 54 +++++------ minifirewall/tasks/config.yml | 73 +++++++-------- minifirewall/tasks/install.legacy.yml | 6 +- minifirewall/tasks/install.yml | 10 +-- minifirewall/tasks/main.yml | 49 +++++----- minifirewall/tasks/nrpe.yml | 18 ++-- minifirewall/tasks/tail.legacy.yml | 19 ++-- minifirewall/tasks/tail.yml | 15 ++-- minifirewall/tasks/utils.yml | 6 +- minifirewall/tests/test.yml | 2 +- mongodb/handlers/main.yml | 6 +- mongodb/tasks/main_bookworm.yml | 20 ++--- mongodb/tasks/main_bullseye.yml | 26 +++--- mongodb/tasks/main_buster.yml | 30 +++---- mongodb/tasks/main_jessie.yml | 18 ++-- mongodb/tasks/main_stretch.yml | 13 +-- monit/handlers/main.yml | 4 +- monit/tasks/main.yml | 4 +- munin/handlers/main.yml | 6 +- munin/tasks/main.yml | 27 +++--- mysql-oracle/handlers/main.yml | 13 +-- mysql-oracle/tasks/config.yml | 6 +- mysql-oracle/tasks/datadir.yml | 14 +-- mysql-oracle/tasks/log2mail.yml | 4 +- mysql-oracle/tasks/main.yml | 20 ++--- mysql-oracle/tasks/munin.yml | 8 +- mysql-oracle/tasks/nrpe.yml | 11 +-- mysql-oracle/tasks/packages.yml | 32 +++---- mysql-oracle/tasks/tmpdir.yml | 4 +- mysql-oracle/tasks/users.yml | 20 +++-- mysql-oracle/tasks/utils.yml | 49 +++++----- mysql/handlers/main.yml | 10 +-- mysql/tasks/config_jessie.yml | 6 +- mysql/tasks/config_stretch.yml | 12 +-- mysql/tasks/datadir.yml | 14 +-- mysql/tasks/log2mail.yml | 4 +- mysql/tasks/logdir.yml | 14 +-- mysql/tasks/main.yml | 38 ++++---- mysql/tasks/munin.yml | 18 ++-- mysql/tasks/mysql_skip.yml | 12 +-- mysql/tasks/nrpe.yml | 11 +-- mysql/tasks/packages_jessie.yml | 14 +-- mysql/tasks/packages_stretch.yml | 12 +-- mysql/tasks/replication.yml | 12 +-- mysql/tasks/tmpdir.yml | 4 +- mysql/tasks/users_bullseye.yml | 2 +- mysql/tasks/users_buster.yml | 16 ++-- mysql/tasks/users_jessie.yml | 11 +-- mysql/tasks/users_stretch.yml | 16 ++-- mysql/tasks/utils.yml | 61 ++++++------- nagios-nrpe/handlers/main.yml | 4 +- nagios-nrpe/tasks/main.yml | 18 ++-- nagios-nrpe/tasks/wrapper.yml | 13 +-- nameserver/tasks/main.yml | 7 +- networkd-to-ifconfig/tasks/main.yml | 24 ++--- .../tasks/set_facts_from_ansible.yml | 4 +- .../tasks/set_facts_from_systemd.yml | 8 +- newrelic/handlers/main.yml | 8 +- newrelic/tasks/main.yml | 6 +- nginx/handlers/main.yml | 6 +- nginx/tasks/ip_whitelist.yml | 4 +- nginx/tasks/logrotate.yml | 2 +- nginx/tasks/main.yml | 42 ++++----- nginx/tasks/munin_graphs.yml | 4 +- nginx/tasks/munin_vhost.yml | 14 +-- nginx/tasks/packages.yml | 6 +- nginx/tasks/packages_backports.yml | 6 +- nginx/tasks/server_status_read.yml | 14 +-- nginx/tasks/server_status_write.yml | 6 +- ntpd/handlers/main.yml | 2 +- ntpd/tasks/main.yml | 6 +- opendkim/handlers/main.yml | 4 +- opendkim/tasks/main.yml | 18 ++-- openvpn/handlers/main.yml | 7 +- openvpn/tasks/debian.yml | 90 ++++++++++--------- openvpn/tasks/main.yml | 6 +- openvpn/tasks/openbsd.yml | 65 +++++++------- packweb-apache/handlers/main.yml | 4 +- packweb-apache/tasks/apache.yml | 16 ++-- packweb-apache/tasks/awstats.yml | 13 +-- packweb-apache/tasks/dependencies.yml | 24 ++--- packweb-apache/tasks/fhs_retrictions.yml | 14 +-- packweb-apache/tasks/main.yml | 37 ++++---- packweb-apache/tasks/multiphp.yml | 8 +- packweb-apache/tasks/phpmyadmin.yml | 35 ++++---- percona/tasks/main.yml | 22 ++--- percona/tasks/xtrabackup.yml | 7 +- pgbouncer/tasks/main.yml | 8 +- php/handlers/main.yml | 14 +-- php/tasks/config_apache.yml | 8 +- php/tasks/config_cli.yml | 8 +- php/tasks/config_fpm.yml | 14 +-- php/tasks/main.yml | 12 +-- php/tasks/main_bookworm.yml | 32 +++---- php/tasks/main_bullseye.yml | 28 +++--- php/tasks/main_buster.yml | 30 +++---- php/tasks/main_jessie.yml | 22 ++--- php/tasks/main_stretch.yml | 28 +++--- php/tasks/sury_post.yml | 12 +-- php/tasks/sury_pre.yml | 16 ++-- postfix/handlers/main.yml | 7 +- postfix/tasks/common.yml | 5 +- postfix/tasks/main.yml | 8 +- postfix/tasks/minimal.yml | 4 +- postfix/tasks/packmail.yml | 30 ++++--- postfix/tasks/slow_transport.yml | 4 +- postgresql/handlers/main.yml | 14 +-- postgresql/tasks/config.yml | 12 +-- postgresql/tasks/locales.yml | 6 +- postgresql/tasks/logrotate.yml | 2 +- postgresql/tasks/munin.yml | 8 +- postgresql/tasks/nrpe.yml | 15 ++-- postgresql/tasks/packages_bullseye.yml | 6 +- postgresql/tasks/packages_buster.yml | 6 +- postgresql/tasks/packages_jessie.yml | 6 +- postgresql/tasks/packages_stretch.yml | 6 +- postgresql/tasks/pgdg-repo.yml | 10 +-- postgresql/tasks/postgis.yml | 2 +- postgresql/tests/test.yml | 7 +- proftpd/handlers/main.yml | 2 +- proftpd/tasks/account.yml | 19 ++-- proftpd/tasks/accounts.yml | 14 +-- proftpd/tasks/accounts_password.yml | 17 ++-- proftpd/tasks/main.yml | 21 ++--- rabbitmq/handlers/main.yml | 6 +- rabbitmq/tasks/main.yml | 18 ++-- rabbitmq/tasks/munin.yml | 10 +-- rabbitmq/tasks/nrpe.yml | 14 +-- rbenv/tasks/main.yml | 26 +++--- redis/handlers/main.yml | 12 +-- redis/tasks/default-log2mail.yml | 4 +- redis/tasks/default-munin.yml | 19 ++-- redis/tasks/default-server.yml | 6 +- redis/tasks/instance-log2mail.yml | 2 +- redis/tasks/instance-munin.yml | 14 +-- redis/tasks/instance-server.yml | 32 +++---- redis/tasks/main.yml | 44 ++++----- redis/tasks/nrpe.yml | 22 ++--- redis/tasks/thp.yml | 9 +- redmine/handlers/main.yml | 4 +- redmine/tasks/config.yml | 10 +-- redmine/tasks/main.yml | 8 +- redmine/tasks/mysql.yml | 14 +-- redmine/tasks/nginx.yml | 6 +- redmine/tasks/packages.yml | 6 +- redmine/tasks/release.yml | 33 ++++--- redmine/tasks/source.yml | 16 ++-- redmine/tasks/syslog.yml | 6 +- redmine/tasks/user.yml | 12 +-- remount-usr/handlers/main.yml | 3 +- remount-usr/tasks/main.yml | 6 +- spamassasin/handlers/main.yml | 2 +- spamassasin/tasks/main.yml | 29 +++--- squid/handlers/main.yml | 15 ++-- squid/tasks/log2mail.yml | 6 +- squid/tasks/logrotate_jessie.yml | 5 +- squid/tasks/logrotate_stretch.yml | 5 +- squid/tasks/main.yml | 50 +++++------ squid/tasks/minifirewall.legacy.yml | 10 +-- squid/tasks/minifirewall.yml | 15 ++-- squid/tasks/systemd.yml | 9 +- ssl/handlers/main.yml | 2 +- ssl/tasks/haproxy.yml | 8 +- ssl/tasks/main.yml | 12 +-- supervisord/handlers/main.yml | 2 +- supervisord/tasks/main.yml | 4 +- tomcat-instance/tasks/alias.yml | 4 +- tomcat-instance/tasks/bootstrap.yml | 8 +- tomcat-instance/tasks/check.yml | 8 +- tomcat-instance/tasks/main.yml | 10 +-- tomcat-instance/tasks/systemd.yml | 5 +- tomcat-instance/tasks/user.yml | 25 +++--- tomcat/tasks/main.yml | 4 +- tomcat/tasks/nagios.yml | 8 +- tomcat/tasks/packages.yml | 16 ++-- unbound/handlers/main.yml | 2 +- unbound/tasks/main.yml | 8 +- userlogrotate/tasks/main.yml | 4 +- varnish/handlers/main.yml | 8 +- varnish/tasks/main.yml | 34 +++---- varnish/tasks/munin.yml | 14 +-- vrrpd/tasks/ip.yml | 6 +- vrrpd/tasks/main.yml | 15 ++-- webapps/evoadmin-mail/handlers/main.yml | 6 +- webapps/evoadmin-mail/tasks/apache.yml | 6 +- webapps/evoadmin-mail/tasks/main.yml | 14 +-- webapps/evoadmin-mail/tasks/nginx.yml | 8 +- webapps/evoadmin-mail/tasks/ssl.yml | 10 ++- webapps/evoadmin-web/handlers/main.yml | 7 +- webapps/evoadmin-web/tasks/config.yml | 6 +- webapps/evoadmin-web/tasks/ftp.yml | 4 +- webapps/evoadmin-web/tasks/main.yml | 16 ++-- webapps/evoadmin-web/tasks/packages.yml | 12 +-- webapps/evoadmin-web/tasks/ssl.yml | 10 ++- webapps/evoadmin-web/tasks/user.yml | 35 ++++---- webapps/evoadmin-web/tasks/web.yml | 22 ++--- webapps/nextcloud/handlers/main.yml | 6 +- webapps/nextcloud/tasks/apache-system.yml | 9 +- webapps/nextcloud/tasks/apache-vhost.yml | 4 +- webapps/nextcloud/tasks/archive.yml | 9 +- webapps/nextcloud/tasks/config.yml | 23 +++-- webapps/nextcloud/tasks/main.yml | 18 ++-- webapps/nextcloud/tasks/mysql-user.yml | 16 ++-- webapps/nextcloud/tasks/user.yml | 7 +- webapps/roundcube/handlers/main.yml | 6 +- webapps/roundcube/tasks/main.yml | 28 +++--- webapps/wordpress/tasks/main.yml | 39 ++++---- 392 files changed, 2517 insertions(+), 2298 deletions(-) diff --git a/amavis/handlers/main.yml b/amavis/handlers/main.yml index 62049999..6d76108b 100644 --- a/amavis/handlers/main.yml +++ b/amavis/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart amavis - service: + ansible.builtin.service: name: amavis state: restarted diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml index 1b0932d5..4fa452e5 100644 --- a/amavis/tasks/main.yml +++ b/amavis/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install Amavis - apt: + ansible.builtin.apt: name: - postgrey - amavisd-new @@ -9,7 +9,7 @@ - amavis - name: configure Amavis - template: + ansible.builtin.template: src: amavis.conf.j2 dest: /etc/amavis/conf.d/49-evolinux-defaults mode: "0644" diff --git a/amazon-ec2/amazon-ec2-evolinux.yml b/amazon-ec2/amazon-ec2-evolinux.yml index d4e125a7..18dcb7a0 100644 --- a/amazon-ec2/amazon-ec2-evolinux.yml +++ b/amazon-ec2/amazon-ec2-evolinux.yml @@ -9,10 +9,10 @@ aws_region: ca-central-1 tasks: - - include_role: + - ansible.builtin.include_role: name: evolix/amazon-ec2 tasks_from: setup.yml - - include_role: + - ansible.builtin.include_role: name: evolix/amazon-ec2 tasks_from: create-instance.yml @@ -51,7 +51,7 @@ - mysql post_tasks: - - include_role: + - ansible.builtin.include_role: name: evolix/etc-git tasks_from: commit.yml vars: diff --git a/amazon-ec2/tasks/create-instance.yml b/amazon-ec2/tasks/create-instance.yml index 86e8f803..7dd4ef3f 100644 --- a/amazon-ec2/tasks/create-instance.yml +++ b/amazon-ec2/tasks/create-instance.yml @@ -1,7 +1,7 @@ --- - name: Launch new instance(s) - ec2: + amazon.aws.ec2: state: present aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" @@ -16,19 +16,19 @@ register: ec2 - name: Add newly created instance(s) to inventory - add_host: + ansible.builtin.add_host: hostname: "{{ item.public_dns_name }}" groupname: launched-instances ansible_user: admin ansible_ssh_common_args: "-o StrictHostKeyChecking=no" loop: "{{ ec2.instances }}" -- debug: +- ansible.builtin.debug: msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}" loop: "{{ ec2.instances }}" - name: Wait for SSH to come up on all instances (give up after 2m) - wait_for: + ansible.builtin.wait_for: state: started host: "{{ item.public_dns_name }}" port: 22 diff --git a/amazon-ec2/tasks/post-install.yml b/amazon-ec2/tasks/post-install.yml index 369f4941..80f624a8 100644 --- a/amazon-ec2/tasks/post-install.yml +++ b/amazon-ec2/tasks/post-install.yml @@ -1,5 +1,5 @@ --- - name: Remove admin user - user: + ansible.builtin.user: name: admin state: absent diff --git a/amazon-ec2/tasks/setup.yml b/amazon-ec2/tasks/setup.yml index fe136fa1..d3bc00a5 100644 --- a/amazon-ec2/tasks/setup.yml +++ b/amazon-ec2/tasks/setup.yml @@ -1,7 +1,7 @@ --- - name: Create default security group - ec2_group: + amazon.aws.ec2_group: name: "{{ ec2_security_group.name }}" state: present aws_access_key: "{{ aws_access_key }}" @@ -12,7 +12,7 @@ rules_egress: "{{ ec2_security_group.rules_egress }}" - name: Create key pair - ec2_key: + amazon.aws.ec2_key: name: "{{ ec2_keyname }}" state: present aws_access_key: "{{ aws_access_key }}" diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index 96daa368..e8e31627 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart apache - service: + ansible.builtin.service: name: apache2 state: restarted - name: reload apache - service: + ansible.builtin.service: name: apache2 state: reloaded - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index fd01517c..2c4d75ff 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -1,7 +1,7 @@ --- - name: Init ipaddr_whitelist.conf file - copy: + ansible.builtin.copy: src: ipaddr_whitelist.conf dest: /etc/apache2/ipaddr_whitelist.conf owner: root @@ -12,10 +12,10 @@ - apache - name: Load IP whitelist task - include: ip_whitelist.yml + ansible.builtin.import_tasks: ip_whitelist.yml - name: include private IP whitelist for server-status - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/mods-available/status.conf line: " include /etc/apache2/ipaddr_whitelist.conf" insertafter: 'SetHandler server-status' @@ -24,7 +24,7 @@ - apache - name: Copy private_htpasswd - copy: + ansible.builtin.copy: src: private_htpasswd dest: /etc/apache2/private_htpasswd owner: root @@ -36,7 +36,7 @@ - apache - name: add user:pwd to private htpasswd - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/private_htpasswd line: "{{ item }}" state: present @@ -46,7 +46,7 @@ - apache - name: remove user:pwd from private htpasswd - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/private_htpasswd line: "{{ item }}" state: absent diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index 18f4a681..5060f56e 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -1,7 +1,7 @@ --- - name: add IP addresses to private IP whitelist - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: present @@ -12,7 +12,7 @@ - ips - name: remove IP addresses from private IP whitelist - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: absent diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index 3b0650b7..42b18dae 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -1,14 +1,14 @@ --- - name: log2mail is installed - apt: + ansible.builtin.apt: name: log2mail state: present tags: - apache - name: Add log2mail config for Apache segfaults - template: + ansible.builtin.template: src: log2mail-apache.j2 dest: "/etc/log2mail/config/apache" owner: log2mail diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 1a028205..c1ca9d7b 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: packages are installed (Debian 9 or later) - apt: + ansible.builtin.apt: name: - apache2 - libapache2-mod-evasive @@ -14,7 +14,7 @@ when: ansible_distribution_major_version is version('9', '>=') - name: itk package is installed if required (Debian 9 or later) - apt: + ansible.builtin.apt: name: - libapache2-mpm-itk state: present @@ -26,7 +26,7 @@ - apache_mpm == "itk" - name: packages are installed (jessie) - apt: + ansible.builtin.apt: name: - apache2-mpm-itk - libapache2-mod-evasive @@ -39,7 +39,7 @@ when: ansible_distribution_release == "jessie" - name: basic modules are enabled - apache2_module: + community.general.apache2_module: name: '{{ item }}' state: present loop: @@ -55,7 +55,7 @@ - apache - name: basic modules are enabled - apache2_module: + community.general.apache2_module: name: '{{ item }}' state: present loop: @@ -67,7 +67,7 @@ - name: Copy Apache defaults config file - copy: + ansible.builtin.copy: src: evolinux-defaults.conf dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf" owner: root @@ -79,7 +79,7 @@ - apache - name: Copy Apache custom config file - copy: + ansible.builtin.copy: src: evolinux-custom.conf dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf" owner: root @@ -91,7 +91,7 @@ - apache - name: disable status.conf - file: + ansible.builtin.file: dest: /etc/apache2/mods-enabled/status.conf state: absent notify: reload apache @@ -99,7 +99,8 @@ - apache - name: Ensure Apache config files are enabled - command: "a2enconf {{ item }}" + ansible.builtin.command: + cmd: "a2enconf {{ item }}" register: command_result changed_when: "'Enabling' in command_result.stderr" loop: @@ -109,12 +110,12 @@ tags: - apache -- include: auth.yml +- ansible.builtin.include: auth.yml tags: - apache - name: default vhost is installed - template: + ansible.builtin.template: src: evolinux-default.conf.j2 dest: /etc/apache2/sites-available/000-evolinux-default.conf mode: "0640" @@ -124,7 +125,7 @@ - apache - name: default vhost is enabled - file: + ansible.builtin.file: src: /etc/apache2/sites-available/000-evolinux-default.conf dest: /etc/apache2/sites-enabled/000-default.conf state: link @@ -134,12 +135,13 @@ tags: - apache -- include: server_status.yml +- ansible.builtin.include: server_status.yml tags: - apache - name: is umask already present? - command: "grep -E '^umask ' /etc/apache2/envvars" + ansible.builtin.command: + cmd: "grep -E '^umask ' /etc/apache2/envvars" failed_when: False changed_when: False register: envvar_grep_umask @@ -148,7 +150,7 @@ - apache - name: Add a mark in envvars for umask - blockinfile: + ansible.builtin.blockinfile: dest: /etc/apache2/envvars marker: "## {mark} ANSIBLE MANAGED BLOCK" block: | @@ -159,13 +161,13 @@ tags: - apache -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - apache - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -175,7 +177,7 @@ - apache - name: "Install save_apache_status.sh" - copy: + ansible.builtin.copy: src: save_apache_status.sh dest: /usr/share/scripts/save_apache_status.sh mode: "0755" @@ -184,7 +186,7 @@ - apache - name: "logrotate: {{ apache_logrotate_frequency }}" - replace: + ansible.builtin.replace: dest: /etc/logrotate.d/apache2 regexp: "(daily|weekly|monthly)" replace: "{{ apache_logrotate_frequency }}" @@ -192,19 +194,19 @@ - apache - name: "logrotate: rotate {{ apache_logrotate_rotate }}" - replace: + ansible.builtin.replace: dest: /etc/logrotate.d/apache2 regexp: '^(\s+rotate) \d+$' replace: '\1 {{ apache_logrotate_rotate }}' tags: - apache -- include: log2mail.yml +- ansible.builtin.include: log2mail.yml when: apache_log2mail_include tags: - apache -- include: munin.yml +- ansible.builtin.include: munin.yml when: apache_munin_include | bool tags: - apache diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index fe07a5cf..af3c1a21 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: "Install munin-node and core plugins packages" - apt: + ansible.builtin.apt: name: - munin-node - munin-plugins-core @@ -11,7 +11,7 @@ - munin - name: "Enable Munin plugins" - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link @@ -25,7 +25,7 @@ - munin - name: "Install fcgi packages for Munin graphs" - apt: + ansible.builtin.apt: name: - libapache2-mod-fcgid - libcgi-fast-perl @@ -36,7 +36,8 @@ - munin - name: "Enable libapache2-mod-fcgid" - command: a2enmod fcgid + ansible.builtin.command: + cmd: a2enmod fcgid register: cmd_enable_fcgid changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout" notify: restart apache @@ -45,7 +46,7 @@ - munin - name: "Apache has access to /var/log/munin/" - file: + ansible.builtin.file: path: /var/log/munin/ group: www-data tags: diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 38daf285..7b188e51 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -1,7 +1,7 @@ --- - name: server status dirname exists - file: + ansible.builtin.file: dest: "{{ apache_serverstatus_suffix_file | dirname }}" mode: "0700" owner: root @@ -9,7 +9,7 @@ state: directory - name: set apache serverstatus suffix if provided - copy: + ansible.builtin.copy: dest: "{{ apache_serverstatus_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ apache_serverstatus_suffix }}\u000A" @@ -17,51 +17,53 @@ when: apache_serverstatus_suffix | length > 0 - name: generate random string for server-status suffix - shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}" + ansible.builtin.shell: + cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}" args: creates: "{{ apache_serverstatus_suffix_file }}" - name: read apache server status suffix - command: "tail -n 1 {{ apache_serverstatus_suffix_file }}" + ansible.builtin.command: + cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}" changed_when: False check_mode: no register: new_apache_serverstatus_suffix - name: overwrite apache_serverstatus_suffix - set_fact: + ansible.builtin.set_fact: apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}" -- debug: +- ansible.builtin.debug: var: apache_serverstatus_suffix verbosity: 1 - name: replace server-status suffix in default site index - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" - name: add server-status suffix in default site index if missing - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ apache_serverstatus_suffix }}"' - name: add server-status suffix in default VHost - replace: + ansible.builtin.replace: dest: /etc/apache2/sites-available/000-evolinux-default.conf regexp: '' replace: '' notify: reload apache - name: Munin configuration has a section for apache - lineinfile: + ansible.builtin.lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "[apache_*]" create: no - name: apache-status URL is configured for Munin - lineinfile: + ansible.builtin.lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto" regexp: 'env.url http://[^\\/]+/server-status' @@ -70,7 +72,7 @@ notify: restart munin-node - name: add mailgraph URL in index.html - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html state: present line: '
  • Stats Mail
    • ' diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml index 633b9266..421e59e6 100644 --- a/apt/tasks/backports.deb822.yml +++ b/apt/tasks/backports.deb822.yml @@ -1,7 +1,7 @@ --- - name: Backports deb822 sources list is installed - template: + ansible.builtin.template: src: '{{ ansible_distribution_release }}_backports.sources.j2' dest: /etc/apt/sources.list.d/backports.sources force: yes @@ -11,7 +11,7 @@ - apt - name: Backports configuration - copy: + ansible.builtin.copy: src: '{{ ansible_distribution_release }}_backports_preferences' dest: /etc/apt/preferences.d/0-backports-defaults force: yes @@ -21,7 +21,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes when: apt_backports_sources is changed or apt_backports_config is changed tags: diff --git a/apt/tasks/backports.oneline.yml b/apt/tasks/backports.oneline.yml index 7f6509b0..9b7118b7 100644 --- a/apt/tasks/backports.oneline.yml +++ b/apt/tasks/backports.oneline.yml @@ -1,6 +1,6 @@ --- - name: No backports config in default sources.list - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/sources.list regexp: "backports" state: absent @@ -8,7 +8,7 @@ - apt - name: Backports sources list is installed - template: + ansible.builtin.template: src: '{{ ansible_distribution_release }}_backports.list.j2' dest: /etc/apt/sources.list.d/backports.list force: yes @@ -18,7 +18,7 @@ - apt - name: Backports configuration - copy: + ansible.builtin.copy: src: '{{ ansible_distribution_release }}_backports_preferences' dest: /etc/apt/preferences.d/0-backports-defaults force: yes @@ -28,7 +28,7 @@ - apt - name: Archived backport are accepted (jessie) - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/apt/apt.conf.d/99no-check-valid-until' line: 'Acquire::Check-Valid-Until no;' create: yes @@ -38,7 +38,7 @@ when: ansible_distribution_release == "jessie" - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml index 205574e5..6ebf65ab 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -3,11 +3,11 @@ # Backward compatibility task file - name: Install backports repositories (Debian <12) - import_tasks: backports.oneline.yml + ansible.builtin.import_tasks: backports.oneline.yml when: - ansible_distribution_major_version is version('12', '<') - name: Install backports repositories (Debian >=12) - import_tasks: backports.deb822.yml + ansible.builtin.import_tasks: backports.deb822.yml when: - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/basics.deb822.yml b/apt/tasks/basics.deb822.yml index b99a8af4..a8663572 100644 --- a/apt/tasks/basics.deb822.yml +++ b/apt/tasks/basics.deb822.yml @@ -1,7 +1,7 @@ --- - name: Change basics repositories - template: + ansible.builtin.template: src: "{{ ansible_distribution_release }}_basics.sources.j2" dest: /etc/apt/sources.list.d/system.sources mode: "0644" @@ -11,7 +11,7 @@ - apt - name: Change security repositories - template: + ansible.builtin.template: src: "{{ ansible_distribution_release }}_security.sources.j2" dest: /etc/apt/sources.list.d/security.sources mode: "0644" @@ -27,7 +27,8 @@ register: list_files - name: Disable one-line-formatted sources - command: "mv --verbose {{ item.path }} {{ item.path }}.bak" + ansible.builtin.command: + cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak" environment: LC_ALL: C loop: "{{ list_files.files }}" @@ -37,7 +38,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/basics.oneline.yml b/apt/tasks/basics.oneline.yml index 8e0a562c..4d457f0d 100644 --- a/apt/tasks/basics.oneline.yml +++ b/apt/tasks/basics.oneline.yml @@ -1,7 +1,7 @@ --- - name: Change basics repositories - template: + ansible.builtin.template: src: "{{ ansible_distribution_release }}_basics.list.j2" dest: /etc/apt/sources.list mode: "0644" @@ -11,7 +11,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml index 7966c849..885f33f5 100644 --- a/apt/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -3,11 +3,11 @@ # Backward compatibility task file - name: Install basics repositories (Debian <12) - import_tasks: basics.oneline.yml + ansible.builtin.import_tasks: basics.oneline.yml when: - ansible_distribution_major_version is version('12', '<') - name: Install basics repositories (Debian >=12) - import_tasks: basics.deb822.yml + ansible.builtin.import_tasks: basics.deb822.yml when: - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 62155623..b403ab03 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -1,7 +1,7 @@ --- - name: Evolinux config for APT - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/apt.conf.d/z-evolinux.conf line: "{{ item.line }}" regexp: "{{ item.regexp }}" @@ -17,7 +17,7 @@ when: apt_evolinux_config | bool - name: DPkg invoke hooks - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/apt.conf.d/z-evolinux.conf line: "{{ item }}" create: yes @@ -33,7 +33,7 @@ when: apt_hooks | bool - name: Remove Aptitude - apt: + ansible.builtin.apt: name: aptitude state: absent tags: diff --git a/apt/tasks/evolix_public.deb822.yml b/apt/tasks/evolix_public.deb822.yml index a98a9983..036645e7 100644 --- a/apt/tasks/evolix_public.deb822.yml +++ b/apt/tasks/evolix_public.deb822.yml @@ -1,14 +1,14 @@ --- - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring tags: - apt - name: Evolix embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent @@ -17,7 +17,7 @@ when: _trusted_gpg_keyring.stat.exists - name: Add Evolix GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" force: yes @@ -28,7 +28,7 @@ - apt - name: Evolix public list is installed - template: + ansible.builtin.template: src: evolix_public.sources.j2 dest: /etc/apt/sources.list.d/evolix_public.sources force: yes @@ -38,7 +38,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/evolix_public.oneline.yml b/apt/tasks/evolix_public.oneline.yml index e3ca833e..9c502a33 100644 --- a/apt/tasks/evolix_public.oneline.yml +++ b/apt/tasks/evolix_public.oneline.yml @@ -1,14 +1,14 @@ --- - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring tags: - apt - name: Evolix embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent @@ -17,7 +17,7 @@ when: _trusted_gpg_keyring.stat.exists - name: Add Evolix GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" force: yes @@ -28,7 +28,7 @@ - apt - name: Evolix public list is installed - template: + ansible.builtin.template: src: evolix_public.list.j2 dest: /etc/apt/sources.list.d/evolix_public.list force: yes @@ -38,7 +38,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 6d0a2de4..8795a6a5 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -3,11 +3,11 @@ # Backward compatibility task file - name: Install Evolix Public repositories (Debian <12) - import_tasks: evolix_public.oneline.yml + ansible.builtin.import_tasks: evolix_public.oneline.yml when: - ansible_distribution_major_version is version('12', '<') - name: Install Evolix Public repositories (Debian >=12) - import_tasks: evolix_public.deb822.yml + ansible.builtin.import_tasks: evolix_public.deb822.yml when: - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 2b3b815f..26ced4c7 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -1,11 +1,11 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: "hold packages (apt)" - shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})" executable: /bin/bash check_mode: no register: apt_mark @@ -18,7 +18,7 @@ - apt - name: "/etc/evolinux is present" - file: + ansible.builtin.file: dest: /etc/evolinux mode: "0700" state: directory @@ -26,7 +26,7 @@ - apt - name: "hold packages (config)" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/evolinux/apt_hold_packages.cf line: "{{ item }}" create: True @@ -36,8 +36,8 @@ - apt - name: "unhold packages (apt)" - shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})" executable: /bin/bash check_mode: no register: apt_mark @@ -48,7 +48,7 @@ - apt - name: "unhold packages (config)" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/evolinux/apt_hold_packages.cf line: "{{ item }}" create: True @@ -58,7 +58,7 @@ - apt - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -68,7 +68,7 @@ - apt - name: Check scripts is installed - copy: + ansible.builtin.copy: src: check_held_packages.sh dest: /usr/share/scripts/check_held_packages.sh force: yes @@ -77,7 +77,8 @@ - apt - name: Check if Cron is installed - shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'" + ansible.builtin.shell: + cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'" register: is_cron changed_when: False failed_when: False @@ -86,7 +87,7 @@ - apt - name: Check for held packages (script) - cron: + ansible.builtin.cron: cron_file: apt-hold-packages name: check_held_packages job: "/usr/share/scripts/check_held_packages.sh" diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 104756d2..295f42f1 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: "Compatibility check" - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') @@ -10,7 +10,7 @@ - apt - name: "apt-transport-https is installed for https repositories (before Buster)" - apt: + ansible.builtin.apt: name: - apt-transport-https tags: @@ -18,20 +18,20 @@ when: ansible_distribution_major_version is version('10', '<') - name: "certificates are installed for https repositories" - apt: + ansible.builtin.apt: name: - ca-certificates tags: - apt - name: Custom configuration - import_tasks: config.yml + ansible.builtin.import_tasks: config.yml when: apt_config | bool tags: - apt - name: Install basics repositories (Debian <12) - import_tasks: basics.oneline.yml + ansible.builtin.import_tasks: basics.oneline.yml tags: - apt when: @@ -39,7 +39,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install basics repositories (Debian >=12) - import_tasks: basics.deb822.yml + ansible.builtin.import_tasks: basics.deb822.yml tags: - apt when: @@ -47,7 +47,7 @@ - ansible_distribution_major_version is version('12', '>=') - name: Install backports repositories (Debian <12) - import_tasks: backports.oneline.yml + ansible.builtin.import_tasks: backports.oneline.yml tags: - apt when: @@ -57,7 +57,7 @@ # With Debian 12+ and the deb822 format of source files # backports are always installed but enabled according to `apt_install_backports` - name: Install backports repositories (Debian >=12) - import_tasks: backports.deb822.yml + ansible.builtin.import_tasks: backports.deb822.yml tags: - apt when: @@ -65,7 +65,7 @@ - name: Install Evolix Public repositories (Debian <12) - import_tasks: evolix_public.oneline.yml + ansible.builtin.import_tasks: evolix_public.oneline.yml tags: - apt when: @@ -73,7 +73,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install Evolix Public repositories (Debian >=12) - import_tasks: evolix_public.deb822.yml + ansible.builtin.import_tasks: evolix_public.deb822.yml tags: - apt when: @@ -81,7 +81,7 @@ - ansible_distribution_major_version is version('12', '>=') - name: Clean GANDI sources - file: + ansible.builtin.file: path: '{{ item }}' state: absent loop: @@ -97,20 +97,20 @@ - name: Install check for packages marked hold - import_tasks: hold_packages.yml + ansible.builtin.import_tasks: hold_packages.yml when: apt_install_hold_packages | bool tags: - apt - name: Updating APT cache - apt: + ansible.builtin.apt: update_cache: yes changed_when: False tags: - apt - name: Upgrading system - apt: + ansible.builtin.apt: upgrade: dist when: apt_upgrade | bool tags: diff --git a/apt/tasks/migrate-to-deb822.yml b/apt/tasks/migrate-to-deb822.yml index 642bcb4f..720045bf 100644 --- a/apt/tasks/migrate-to-deb822.yml +++ b/apt/tasks/migrate-to-deb822.yml @@ -1,9 +1,9 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -13,7 +13,7 @@ - apt - name: Migration scripts are installed - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "/usr/share/scripts/{{ item }}" force: yes @@ -25,7 +25,8 @@ - apt - name: Exec migration script - command: /usr/share/scripts/deb822-migration.sh + ansible.builtin.command: + cmd: /usr/share/scripts/deb822-migration.sh ignore_errors: yes tags: - apt \ No newline at end of file diff --git a/apt/tasks/move-apt-keyring.yml b/apt/tasks/move-apt-keyring.yml index 4214d2d6..5b0cdd9b 100644 --- a/apt/tasks/move-apt-keyring.yml +++ b/apt/tasks/move-apt-keyring.yml @@ -1,18 +1,18 @@ --- - name: New APT keyrings directory is present - file: + ansible.builtin.file: path: /etc/apt/keyrings state: directory mode: "0755" owner: root group: root -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -22,7 +22,7 @@ - apt - name: migration script is present - copy: + ansible.builtin.copy: src: move-apt-keyrings.sh dest: /usr/share/scripts/move-apt-keyrings.sh mode: "0755" @@ -30,7 +30,8 @@ group: root - name: Move repository signing key - command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" + ansible.builtin.command: + cmd: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" loop: - { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" } - { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" } @@ -48,5 +49,5 @@ register: _cmd - name: Debug command - debug: + ansible.builtin.debug: var: _cmd diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index b426fcd1..5461579d 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -1,21 +1,21 @@ --- - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes - name: restart apparmor - systemd: + ansible.builtin.systemd: name: apparmor state: restarted - name: restart bind - systemd: + ansible.builtin.systemd: name: bind9 state: restarted - name: restart munin-node - systemd: + ansible.builtin.systemd: name: munin-node state: restarted diff --git a/bind/tasks/authoritative.yml b/bind/tasks/authoritative.yml index 52992fa1..abfa96d8 100644 --- a/bind/tasks/authoritative.yml +++ b/bind/tasks/authoritative.yml @@ -1,7 +1,7 @@ --- - name: Set bind configuration for authoritative server - template: + ansible.builtin.template: src: named.conf.options_authoritative.j2 dest: /etc/bind/named.conf.options owner: bind diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 9b053b6c..67776531 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -1,6 +1,6 @@ # Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths. - name: set chroot variables - set_fact: + ansible.builtin.set_fact: bind_log_file: /var/log/bind.log bind_query_file: /var/log/bind_queries.log bind_cache_dir: /var/cache/bind @@ -9,14 +9,15 @@ when: bind_chroot_set | bool - name: Check AppArmor - shell: systemctl is-active apparmor || systemctl is-enabled apparmor + ansible.builtin.shell: + cmd: systemctl is-active apparmor || systemctl is-enabled apparmor failed_when: False changed_when: False check_mode: no register: check_apparmor - name: configure apparmor - template: + ansible.builtin.template: src: apparmor.usr.sbin.named.j2 dest: /etc/apparmor.d/usr.sbin.named owner: root @@ -27,20 +28,20 @@ when: check_apparmor.rc == 0 - name: package are installed - apt: + ansible.builtin.apt: name: - bind9 - dnstop state: present -- include: authoritative.yml +- ansible.builtin.include: authoritative.yml when: bind_authoritative_server | bool -- include: recursive.yml +- ansible.builtin.include: recursive.yml when: bind_recursive_server | bool - name: Create systemd service for Debian 8 (Jessie) - template: + ansible.builtin.template: src: bind9.service.jessie.j2 dest: "{{ bind_systemd_service_path }}" owner: root @@ -53,7 +54,7 @@ when: ansible_distribution_release == "jessie" - name: "touch {{ bind_log_file }} if non chroot" - file: + ansible.builtin.file: path: "{{ bind_log_file }}" owner: bind group: adm @@ -62,7 +63,7 @@ when: not (bind_chroot_set | bool) - name: "touch {{ bind_query_file }} if non chroot" - file: + ansible.builtin.file: path: "{{ bind_query_file }}" owner: bind group: adm @@ -71,7 +72,7 @@ when: not (bind_chroot_set | bool) - name: send chroot-bind.sh in /root - copy: + ansible.builtin.copy: src: chroot-bind.sh dest: /root/chroot-bind.sh mode: "0700" @@ -81,19 +82,20 @@ when: bind_chroot_set | bool - name: exec chroot-bind.sh - command: "/root/chroot-bind.sh" + ansible.builtin.command: + cmd: "/root/chroot-bind.sh" register: chrootbind_run changed_when: False when: bind_chroot_set | bool -- debug: +- ansible.builtin.debug: var: chrootbind_run.stdout_lines when: - bind_chroot_set | bool - chrootbind_run.stdout | length > 0 - name: Modify OPTIONS in /etc/default/bind9 for chroot - replace: + ansible.builtin.replace: dest: /etc/default/bind9 regexp: '^OPTIONS=.*' replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' @@ -101,7 +103,7 @@ when: bind_chroot_set | bool - name: logrotate for bind - template: + ansible.builtin.template: src: logrotate_bind.j2 dest: /etc/logrotate.d/bind9 owner: root @@ -110,4 +112,4 @@ force: yes notify: restart bind -- include: munin.yml +- ansible.builtin.include: munin.yml diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 7bedfd2c..4a655533 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -10,7 +10,7 @@ - munin - name: Enable munin plugins for authoritative server - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link @@ -18,31 +18,31 @@ - bind9 - bind9_rndc notify: restart munin-node - when: - - bind_authoritative_server | bool - - munin_node_plugins_config.stat.exists tags: - bind - munin + when: + - bind_authoritative_server | bool + - munin_node_plugins_config.stat.exists - name: Enable munin plugins for recursive server - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link loop: - bind9 notify: restart munin-node + tags: + - bind + - munin when: - bind_recursive_server | bool - bind_query_file_enabled | bool - munin_node_plugins_config.stat.exists - tags: - - bind - - munin - name: Add munin plugin configuration - template: + ansible.builtin.template: src: munin-env_bind9.j2 dest: /etc/munin/plugin-conf.d/bind9 owner: root @@ -50,7 +50,7 @@ mode: "0644" force: yes notify: restart munin-node - when: munin_node_plugins_config.stat.exists tags: - bind - munin + when: munin_node_plugins_config.stat.exists diff --git a/bind/tasks/recursive.yml b/bind/tasks/recursive.yml index ddbeafbf..364f1021 100644 --- a/bind/tasks/recursive.yml +++ b/bind/tasks/recursive.yml @@ -2,7 +2,7 @@ - name: Set bind configuration for recursive server - template: + ansible.builtin.template: src: named.conf.options_recursive.j2 dest: /etc/bind/named.conf.options owner: bind @@ -12,7 +12,7 @@ notify: restart bind - name: enable zones.rfc1918 for recursive server - lineinfile: + ansible.builtin.lineinfile: dest: /etc/bind/named.conf.local line: 'include "/etc/bind/zones.rfc1918";' regexp: "zones.rfc1918" diff --git a/bookworm-detect/tasks/main.yml b/bookworm-detect/tasks/main.yml index be11177e..c0c50fdd 100644 --- a/bookworm-detect/tasks/main.yml +++ b/bookworm-detect/tasks/main.yml @@ -1,10 +1,10 @@ --- -- debug: +- ansible.builtin.debug: var: ansible_lsb # Force facts until Debian 12 is released because Ansible is dumb -- set_fact: +- ansible.builtin.set_fact: ansible_distribution_major_version: 12 ansible_distribution: "Debian" ansible_distribution_release: "bookworm" diff --git a/bullseye-detect/tasks/main.yml b/bullseye-detect/tasks/main.yml index 6f97db0a..e18d826b 100644 --- a/bullseye-detect/tasks/main.yml +++ b/bullseye-detect/tasks/main.yml @@ -1,7 +1,7 @@ --- # Force facts until Debian 11 is released because Ansible is dumb -- set_fact: +- ansible.builtin.set_fact: ansible_distribution_major_version: 11 ansible_distribution: "Debian" ansible_distribution_release: "bullseye" diff --git a/certbot/handlers/main.yml b/certbot/handlers/main.yml index 4363ed3d..54f114e2 100644 --- a/certbot/handlers/main.yml +++ b/certbot/handlers/main.yml @@ -1,23 +1,24 @@ --- - name: reload nginx - service: + ansible.builtin.systemd: name: nginx state: reloaded - name: reload apache - service: + ansible.builtin.systemd: name: apache2 state: reloaded - name: reload haproxy - service: + ansible.builtin.systemd: name: haproxy state: reloaded - name: systemd daemon-reload - systemd: + ansible.builtin.systemd: daemon_reload: yes - name: install letsencrypt-auto - command: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade + ansible.builtin.command: + cmd: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade diff --git a/certbot/tasks/acme-challenge.yml b/certbot/tasks/acme-challenge.yml index 56b0c099..29c0267d 100644 --- a/certbot/tasks/acme-challenge.yml +++ b/certbot/tasks/acme-challenge.yml @@ -1,18 +1,18 @@ --- - name: Certbot work directory is present - file: + ansible.builtin.file: dest: "{{ certbot_work_dir }}" state: directory mode: "0755" - name: Check if Nginx is installed - stat: + ansible.builtin.stat: path: /etc/nginx register: is_nginx - name: ACME challenge for Nginx is installed - template: + ansible.builtin.template: src: acme-challenge/nginx.conf.j2 dest: /etc/nginx/snippets/letsencrypt.conf force: yes @@ -20,32 +20,33 @@ when: is_nginx.stat.exists - name: Check if Apache is installed - stat: + ansible.builtin.stat: path: /usr/sbin/apachectl register: is_apache - name: ACME challenge for Apache block: - name: ACME challenge for Apache is installed - template: + ansible.builtin.template: src: acme-challenge/apache.conf.j2 dest: /etc/apache2/conf-available/letsencrypt.conf force: yes notify: reload apache - name: ACME challenge for Apache is enabled - command: "a2enconf letsencrypt" + ansible.builtin.command: + cmd: "a2enconf letsencrypt" register: command_result changed_when: "'Enabling' in command_result.stderr" notify: reload apache when: is_apache.stat.exists - name: Check if HAProxy is installed - stat: + ansible.builtin.stat: path: /etc/haproxy register: is_haproxy - name: ACME challenge for HAProxy is installed - debug: + ansible.builtin.debug: msg: "ACME challenge configuration for HAProxy must be configured manually" when: is_haproxy.stat.exists diff --git a/certbot/tasks/install-legacy.yml b/certbot/tasks/install-legacy.yml index 446e557a..3048a4a4 100644 --- a/certbot/tasks/install-legacy.yml +++ b/certbot/tasks/install-legacy.yml @@ -1,16 +1,16 @@ --- - name: certbot package is removed - apt: + ansible.builtin.apt: name: certbot state: absent -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr # copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto - name: Let's Encrypt script is present - copy: + ansible.builtin.copy: src: letsencrypt-auto dest: /usr/local/bin/letsencrypt-auto mode: '0755' @@ -20,22 +20,23 @@ notify: install letsencrypt-auto - name: Check certbot script - stat: + ansible.builtin.stat: path: /usr/local/bin/certbot register: certbot_path - name: Rename certbot script if present - command: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak" + ansible.builtin.command: + cmd: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak" when: certbot_path.stat.exists - name: Let's Encrypt script is symlinked as certbot - file: + ansible.builtin.file: src: "/usr/local/bin/letsencrypt-auto" dest: "/usr/local/bin/certbot" state: link - name: systemd artefacts are absent - file: + ansible.builtin.file: dest: "{{ item }}" state: absent loop: @@ -45,14 +46,14 @@ notify: systemd daemon-reload - name: custom crontab is present - copy: + ansible.builtin.copy: src: cron_jessie dest: /etc/cron.d/certbot force: yes when: certbot_custom_crontab | bool - name: disable self-upgrade - ini_file: + community.general.ini_file: dest: "/etc/letsencrypt/cli.ini" section: null option: "no-self-upgrade" diff --git a/certbot/tasks/install-package.yml b/certbot/tasks/install-package.yml index 06247db4..c12b49e4 100644 --- a/certbot/tasks/install-package.yml +++ b/certbot/tasks/install-package.yml @@ -1,6 +1,6 @@ --- - name: certbot package is installed - apt: + ansible.builtin.apt: name: certbot state: latest diff --git a/certbot/tasks/main.yml b/certbot/tasks/main.yml index cede35a6..3dcb1334 100644 --- a/certbot/tasks/main.yml +++ b/certbot/tasks/main.yml @@ -1,28 +1,28 @@ --- - name: "System compatibility checks" - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') msg: only compatible with Debian 9+ - name: Install legacy script on Debian 8 - include: install-legacy.yml + ansible.builtin.include: install-legacy.yml when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '<') - name: Install package on Debian 9+ - include: install-package.yml + ansible.builtin.include: install-package.yml when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '>=') -- include: acme-challenge.yml +- ansible.builtin.include: acme-challenge.yml - name: Deploy hooks are present - copy: + ansible.builtin.copy: src: hooks/deploy/ dest: /etc/letsencrypt/renewal-hooks/deploy/ mode: "0700" @@ -30,7 +30,7 @@ group: root - name: Manual deploy hook is present - copy: + ansible.builtin.copy: src: hooks/manual-deploy.sh dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh mode: "0700" @@ -38,7 +38,7 @@ group: root - name: "sync_remote is configured with servers" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf regexp: "^servers=" line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\"" @@ -46,14 +46,15 @@ # begining of backward compatibility tasks - name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present - command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh" + ansible.builtin.command: + cmd: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh" args: removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh # end of backward compatibility tasks - name: "certbot lock is ignored by Git" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/.gitignore line: letsencrypt/.certbot.lock create: yes diff --git a/clamav/handlers/main.yml b/clamav/handlers/main.yml index e053f01a..c931807b 100644 --- a/clamav/handlers/main.yml +++ b/clamav/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart clamav - service: + ansible.builtin.service: name: clamav-daemon state: restarted diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml index f74efae5..7044ddce 100644 --- a/clamav/tasks/main.yml +++ b/clamav/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: configure clamav-daemon - debconf: + ansible.builtin.debconf: name: clamav-daemon question: "{{ item.key }}" value: "{{ item.value }}" @@ -52,7 +52,7 @@ - clamav - name: configure clamav-freshclam - debconf: + ansible.builtin.debconf: name: clamav-freshclam question: "{{ item.key }}" value: "{{ item.value }}" @@ -73,7 +73,7 @@ - clamav - name: install ClamAV - apt: + ansible.builtin.apt: name: - clamav-daemon - clamav @@ -92,7 +92,7 @@ - clamav - name: add clamav user to amavis group - user: + ansible.builtin.user: name: clamav groups: amavis append: True @@ -100,7 +100,7 @@ - clamav - name: allow supplementary groups - replace: + ansible.builtin.replace: dest: /etc/clamav/clamd.conf regexp: 'AllowSupplementaryGroups false' replace: 'AllowSupplementaryGroups true' diff --git a/dhcpd/handlers/main.yml b/dhcpd/handlers/main.yml index 09f93269..8cfa9eb0 100644 --- a/dhcpd/handlers/main.yml +++ b/dhcpd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart dhcp - service: + ansible.builtin.service: name: isc-dhcp-server state: restarted diff --git a/dhcpd/tasks/main.yml b/dhcpd/tasks/main.yml index 828a219f..214c5d58 100644 --- a/dhcpd/tasks/main.yml +++ b/dhcpd/tasks/main.yml @@ -1,4 +1,4 @@ - name: ensure packages are installed - apt: + ansible.builtin.apt: name: isc-dhcp-server state: present diff --git a/docker-host/handlers/main.yml b/docker-host/handlers/main.yml index c21a84ef..46d42215 100644 --- a/docker-host/handlers/main.yml +++ b/docker-host/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes - name: restart docker - service: + ansible.builtin.systemd: name: docker state: restarted enabled: yes diff --git a/dovecot/handlers/main.yml b/dovecot/handlers/main.yml index 7d40488b..1e6afce7 100644 --- a/dovecot/handlers/main.yml +++ b/dovecot/handlers/main.yml @@ -1,16 +1,16 @@ --- - name: restart dovecot - service: + ansible.builtin.service: name: dovecot state: restarted - name: reload dovecot - service: + ansible.builtin.service: name: dovecot state: reloaded - name: restart log2mail - service: + ansible.builtin.service: name: log2mail state: restarted diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index dddd951c..adb81238 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -1,5 +1,5 @@ - name: ensure packages are installed - apt: + ansible.builtin.apt: name: - dovecot-ldap - dovecot-imapd @@ -11,12 +11,12 @@ - dovecot - name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes) - openssl_dhparam: + community.crypto.openssl_dhparam: path: /etc/ssl/dhparams.pem size: 4096 - name: disable pam auth - replace: + ansible.builtin.replace: dest: /etc/dovecot/conf.d/10-auth.conf regexp: "[^#]!include auth-system.conf.ext" replace: "#!include auth-system.conf.ext" @@ -24,7 +24,7 @@ - dovecot - name: update ldap auth - lineinfile: + ansible.builtin.lineinfile: dest: /etc/dovecot/dovecot-ldap.conf.ext line: "{{ item.key }} = {{ item.value }}" regexp: "^#*{{ item.key }}" @@ -43,7 +43,7 @@ - dovecot - name: create vmail group - group: + ansible.builtin.group: name: vmail gid: "{{ dovecot_vmail_gid }}" system: True @@ -51,7 +51,7 @@ - dovecot - name: create vmail user - user: + ansible.builtin.user: name: vmail group: vmail uid: "{{ dovecot_vmail_uid }}" @@ -61,7 +61,7 @@ - dovecot - name: deploy evolix config - template: + ansible.builtin.template: src: z-evolinux-defaults.conf.j2 dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf mode: "0644" @@ -70,7 +70,7 @@ - dovecot - name: deploy file for custom configuration - template: + ansible.builtin.template: src: zzz-evolinux-custom.conf.j2 dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf mode: "0644" @@ -78,18 +78,18 @@ tags: - dovecot -- include: munin.yml +- ansible.builtin.include: munin.yml tags: - - dovecot + - dovecot - name: log2mail is installed - apt: + ansible.builtin.apt: name: log2mail state: present tags: dovecot - name: dovecot is configured in log2mail - blockinfile: + ansible.builtin.blockinfile: path: /etc/log2mail/config/mail.conf create: true owner: log2mail diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml index c6b58d28..8db1456c 100644 --- a/dovecot/tasks/munin.yml +++ b/dovecot/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -9,13 +9,13 @@ - name: Munin plugins are present and configured block: - name: Install munin plugin - copy: + ansible.builtin.copy: src: munin_plugin dest: /etc/munin/plugins/dovecot mode: "0755" - name: Install munin config - copy: + ansible.builtin.copy: src: munin_config dest: /etc/munin/plugin-conf.d/dovecot mode: "0644" diff --git a/drbd/handlers/main.yml b/drbd/handlers/main.yml index 0b7f394e..5ca5295a 100644 --- a/drbd/handlers/main.yml +++ b/drbd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/drbd/tasks/main.yml b/drbd/tasks/main.yml index 6e0eca0a..c7134f27 100644 --- a/drbd/tasks/main.yml +++ b/drbd/tasks/main.yml @@ -1,6 +1,6 @@ --- -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: munin.yml +- ansible.builtin.include: munin.yml -- include: nagios.yml +- ansible.builtin.include: nagios.yml diff --git a/drbd/tasks/munin.yml b/drbd/tasks/munin.yml index 0e297d16..205cfb5f 100644 --- a/drbd/tasks/munin.yml +++ b/drbd/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: Check if Munin plugins exists - stat: + ansible.builtin.stat: path: /etc/munin/plugins/ register: munin_plugins_dir check_mode: no @@ -10,7 +10,7 @@ # https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/drbd/drbd - name: Get Munin plugin - copy: + ansible.builtin.copy: src: munin/drbd-plugin dest: /etc/munin/plugins/drbd mode: "0755" @@ -20,7 +20,7 @@ - drbd - name: Copy Munin plugin conf - copy: + ansible.builtin.copy: src: munin/drbd-config dest: /etc/munin/plugin-conf.d/drbd mode: "0644" diff --git a/drbd/tasks/nagios.yml b/drbd/tasks/nagios.yml index ea436a5b..d62e00d2 100644 --- a/drbd/tasks/nagios.yml +++ b/drbd/tasks/nagios.yml @@ -1,21 +1,21 @@ --- - name: Check if Nagios is installed - stat: + ansible.builtin.stat: path: /usr/local/lib/nagios/plugins/ register: nagios_plugins_dir check_mode: no tags: - drbd -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - drbd # https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=3367&cf_id=30 - name: Install Nagios plugin - copy: + ansible.builtin.copy: src: "nagios/check_drbd" dest: "/usr/local/lib/nagios/plugins/check_drbd" mode: "0755" diff --git a/drbd/tasks/packages.yml b/drbd/tasks/packages.yml index 59b4bb2e..a4f4f373 100644 --- a/drbd/tasks/packages.yml +++ b/drbd/tasks/packages.yml @@ -1,5 +1,5 @@ - name: Install dependency - apt: + ansible.builtin.apt: name: - drbd-utils - lvm2 @@ -7,7 +7,7 @@ - drbd - name: Enable drbd.service - service: + ansible.builtin.service: name: drbd enabled: yes tags: diff --git a/elasticsearch/handlers/main.yml b/elasticsearch/handlers/main.yml index c8a57b70..2531b0b8 100644 --- a/elasticsearch/handlers/main.yml +++ b/elasticsearch/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: restart elasticsearch - systemd: + ansible.builtin.systemd: daemon_reload: yes name: elasticsearch state: restarted diff --git a/elasticsearch/tasks/additional_scripts.yml b/elasticsearch/tasks/additional_scripts.yml index e8373ef8..8dcb0759 100644 --- a/elasticsearch/tasks/additional_scripts.yml +++ b/elasticsearch/tasks/additional_scripts.yml @@ -1,11 +1,11 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: elasticsearch_additional_scripts_dir is search("/usr") - name: "{{ elasticsearch_additional_scripts_dir }} exists" - file: + ansible.builtin.file: dest: "{{ elasticsearch_additional_scripts_dir }}" mode: "0700" owner: root @@ -13,7 +13,7 @@ state: directory - name: Plugins upgrade script is installed - copy: + ansible.builtin.copy: src: upgrade_elasticsearch_plugins.sh dest: "{{ elasticsearch_additional_scripts_dir }}/upgrade_elasticsearch_plugins.sh" mode: "0755" diff --git a/elasticsearch/tasks/bootstrap_checks.yml b/elasticsearch/tasks/bootstrap_checks.yml index b1f79046..0df9a618 100644 --- a/elasticsearch/tasks/bootstrap_checks.yml +++ b/elasticsearch/tasks/bootstrap_checks.yml @@ -1,7 +1,8 @@ --- - name: Read maximum map count - command: "sysctl -n vm.max_map_count" + ansible.builtin.command: + cmd: "sysctl -n vm.max_map_count" register: max_map_count failed_when: False changed_when: False @@ -9,7 +10,7 @@ - config - name: Maximum map count check - sysctl: + ansible.posix.sysctl: name: vm.max_map_count value: 262144 sysctl_file: /etc/sysctl.d/elasticsearch.conf @@ -18,7 +19,7 @@ - config - name: bootstrap.memory_lock - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "bootstrap.memory_lock: true" regexp: "^bootstrap.memory_lock:" @@ -27,12 +28,12 @@ - config - name: Create a system config directory for systemd overrides - file: + ansible.builtin.file: path: /etc/systemd/system/elasticsearch.service.d state: directory - name: Override memory config in systemd unit - ini_file: + community.general.ini_file: dest: /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf section: Service option: "LimitMEMLOCK" diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index 7324f610..9c3875b0 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -1,7 +1,7 @@ --- - name: Configure cluster name - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "cluster.name: {{ elasticsearch_cluster_name }}" regexp: "^cluster.name:" @@ -11,7 +11,7 @@ - config - name: Configure node name - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "node.name: {{ elasticsearch_node_name }}" regexp: "^node.name:" @@ -20,7 +20,7 @@ - config - name: Configure network host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "network.host: {{ elasticsearch_network_host }}" regexp: "^network.host:" @@ -30,7 +30,7 @@ - config - name: Configure network publish_host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "network.publish_host: {{ elasticsearch_network_publish_host }}" regexp: "^network.publish_host:" @@ -40,7 +40,7 @@ - config - name: Configure http publish_host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "http.publish_host: {{ elasticsearch_http_publish_host }}" regexp: "^http.publish_host:" @@ -50,7 +50,7 @@ - config - name: Configure discovery seed hosts - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}" regexp: "^discovery.seed_hosts:" @@ -59,7 +59,7 @@ - config - name: Configure empty discovery seed hosts - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml regexp: "^discovery.seed_hosts:" state: absent @@ -68,7 +68,7 @@ - config - name: Configure initial master nodes - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "cluster.initial_master_nodes: {{ elasticsearch_cluster_initial_master_nodes | to_yaml(default_flow_style=True) }}" regexp: "^cluster.initial_master_nodes:" @@ -77,7 +77,7 @@ - config - name: Configure empty initial master nodes - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml regexp: "^cluster.initial_master_nodes:" state: absent @@ -86,7 +86,7 @@ - config - name: Configure RESTART_ON_UPGRADE - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/elasticsearch line: "RESTART_ON_UPGRADE={{ elasticsearch_restart_on_upgrade | bool | ternary('true','false') }}" regexp: "^RESTART_ON_UPGRADE=" @@ -95,7 +95,7 @@ - config - name: JVM Heap size (min) is set - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options.d/evolinux.options regexp: "^-Xms" line: "-Xms{{ elasticsearch_jvm_xms }}" @@ -107,7 +107,7 @@ - config - name: JVM Heap size (max) is set - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options.d/evolinux.options regexp: "^-Xmx" line: "-Xmx{{ elasticsearch_jvm_xmx }}" @@ -119,7 +119,7 @@ - config - name: Disable garbage collector logs (JDK >= 9) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options regexp: "Xlog:gc" line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m" @@ -130,7 +130,7 @@ - config - name: Configure cluster members - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}" regexp: "^discovery.zen.ping.unicast.hosts:" @@ -140,7 +140,7 @@ - config - name: Configure minimum master nodes - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}" regexp: "^discovery.zen.minimum_master_nodes:" diff --git a/elasticsearch/tasks/curator.yml b/elasticsearch/tasks/curator.yml index c7c44259..4cf7c9d5 100644 --- a/elasticsearch/tasks/curator.yml +++ b/elasticsearch/tasks/curator.yml @@ -1,11 +1,11 @@ --- - name: Use the correct debian repository - set_fact: + ansible.builtin.set_fact: curator_debian_repository: '{% if ansible_distribution_release == "jessie" %}debian{% else %}debian9{% endif %}' - name: Curator sources list is available - apt_repository: + ansible.builtin.apt_repository: repo: "deb https://packages.elastic.co/curator/5/{{ curator_debian_repository }} stable main" filename: curator update_cache: yes @@ -15,7 +15,7 @@ - packages - name: Curator package is installed - apt: + ansible.builtin.apt: name: elasticsearch-curator state: present tags: diff --git a/elasticsearch/tasks/datadir.yml b/elasticsearch/tasks/datadir.yml index ef91cf1d..c442ae42 100644 --- a/elasticsearch/tasks/datadir.yml +++ b/elasticsearch/tasks/datadir.yml @@ -3,13 +3,13 @@ - name: Set real datadir value when customized block: - name: "Is custom datadir present ?" - stat: + ansible.builtin.stat: path: "{{ elasticsearch_custom_datadir }}" register: elasticsearch_custom_datadir_test check_mode: no - name: "read the real datadir" - command: readlink -f /var/lib/elasticsearch + ansible.builtin.command: readlink -f /var/lib/elasticsearch changed_when: False register: elasticsearch_current_real_datadir_test check_mode: no @@ -22,23 +22,24 @@ - name: Datadir is moved to custom path block: - name: elasticsearch is stopped - service: + ansible.builtin.service: name: elasticsearch state: stopped - name: Move elasticsearch datadir to custom datadir - command: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }} + ansible.builtin.command: + cmd: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }} args: creates: "{{ elasticsearch_custom_datadir }}" - name: Symlink {{ elasticsearch_custom_datadir }} to /var/lib/elasticsearch - file: + ansible.builtin.file: src: "{{ elasticsearch_custom_datadir }}" dest: '/var/lib/elasticsearch' state: link - name: elasticsearch is started - service: + ansible.builtin.service: name: elasticsearch state: started tags: diff --git a/elasticsearch/tasks/logs.yml b/elasticsearch/tasks/logs.yml index 8c5977a4..0569ef07 100644 --- a/elasticsearch/tasks/logs.yml +++ b/elasticsearch/tasks/logs.yml @@ -1,8 +1,8 @@ --- - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -10,7 +10,7 @@ register: is_cron_installed - name: "log rotation script" - template: + ansible.builtin.template: src: rotate_elasticsearch_logs.j2 dest: /etc/cron.daily/rotate_elasticsearch_logs owner: root diff --git a/elasticsearch/tasks/main.yml b/elasticsearch/tasks/main.yml index 6f5ccc8c..132089c7 100644 --- a/elasticsearch/tasks/main.yml +++ b/elasticsearch/tasks/main.yml @@ -1,21 +1,21 @@ --- -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: configuration.yml +- ansible.builtin.include: configuration.yml -- include: bootstrap_checks.yml +- ansible.builtin.include: bootstrap_checks.yml -- include: tmpdir.yml +- ansible.builtin.include: tmpdir.yml -- include: datadir.yml +- ansible.builtin.include: datadir.yml -- include: logs.yml +- ansible.builtin.include: logs.yml -- include: additional_scripts.yml +- ansible.builtin.include: additional_scripts.yml -- include: plugin_head.yml +- ansible.builtin.include: plugin_head.yml when: elasticsearch_plugin_head | bool -- include: curator.yml +- ansible.builtin.include: curator.yml when: elasticsearch_curator | bool diff --git a/elasticsearch/tasks/plugin_head.yml b/elasticsearch/tasks/plugin_head.yml index 2f7cae39..2a98d080 100644 --- a/elasticsearch/tasks/plugin_head.yml +++ b/elasticsearch/tasks/plugin_head.yml @@ -1,7 +1,7 @@ --- - name: "User {{ elasticsearch_plugin_head_owner }} is present" - user: + ansible.builtin.user: name: "{{ elasticsearch_plugin_head_owner }}" home: "{{ elasticsearch_plugin_head_home }}" createhome: yes @@ -11,7 +11,7 @@ - name: Head plugin is installed block: - name: Head repository is checked-out - git: + ansible.builtin.git: repo: "https://github.com/mobz/elasticsearch-head.git" dest: "{{ elasticsearch_plugin_head_clone_dir }}" clone: yes @@ -19,12 +19,12 @@ - packages - name: Create tmpdir - file: + ansible.builtin.file: dest: "{{ elasticsearch_plugin_head_tmp_dir }}" state: directory - name: NPM packages for head are installed - npm: + community.general.npm: path: "{{ elasticsearch_plugin_head_clone_dir }}" tags: - packages @@ -35,7 +35,7 @@ become: yes - name: Elasticsearch HTTP/CORS are enabled - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "http.cors.enabled: true" regexp: "^http.cors.enabled:" @@ -46,7 +46,7 @@ - elasticsearch - name: Elasticsearch HTTP/CORS accepts all origins - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "http.cors.allow-origin: \"*\"" regexp: "^http.cors.allow-origin:" @@ -57,7 +57,7 @@ - elasticsearch - name: Install systemd unit - template: + ansible.builtin.template: src: elasticsearch-head.service.j2 dest: /etc/systemd/system/elasticsearch-head.service tags: @@ -65,7 +65,7 @@ - systemd - name: Enable systemd unit - systemd: + ansible.builtin.systemd: name: elasticsearch-head daemon_reload: yes enabled: yes diff --git a/elasticsearch/tasks/tmpdir.yml b/elasticsearch/tasks/tmpdir.yml index 30375af1..e3601fb8 100644 --- a/elasticsearch/tasks/tmpdir.yml +++ b/elasticsearch/tasks/tmpdir.yml @@ -1,7 +1,8 @@ --- - name: Check if /tmp is noexec - shell: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec" + ansible.builtin.shell: + cmd: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec" register: fstab_tmp_noexec failed_when: False changed_when: False @@ -9,13 +10,13 @@ - name: Tmpdir is moved to custom path block: - - set_fact: + - ansible.builtin.set_fact: _elasticsearch_custom_tmpdir: "{{ elasticsearch_custom_tmpdir | default(elasticsearch_default_tmpdir, True) | mandatory }}" tags: - elasticsearch - name: "Create {{ _elasticsearch_custom_tmpdir }}" - file: + ansible.builtin.file: path: "{{ _elasticsearch_custom_tmpdir }}" owner: elasticsearch group: elasticsearch @@ -25,7 +26,7 @@ - elasticsearch - name: change JVM tmpdir (< 6.x) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options.d/evolinux.options line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}" regexp: "^-Djava.io.tmpdir=" @@ -40,7 +41,7 @@ when: elastic_stack_version is version('6', '<') - name: check if ES_TMPDIR is available (>= 6.x) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/elasticsearch line: "ES_TMPDIR={{ _elasticsearch_custom_tmpdir }}" regexp: "^ES_TMPDIR=" @@ -53,7 +54,7 @@ # Note : Should not do any changes as -Djava.io.tmpdir=${ES_TMPDIR} is already here in the default config. - name: change JVM tmpdir (>= 6.x) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options line: "-Djava.io.tmpdir=${ES_TMPDIR}" regexp: "^-Djava.io.tmpdir=" diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index c92e3c6a..55c02934 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -1,7 +1,8 @@ --- - name: "Execute ansible-commit" - command: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\"" + ansible.builtin.command: + cmd: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\"" changed_when: - _ansible_commit.stdout - "'CHANGED:' in _ansible_commit.stdout" diff --git a/etc-git/tasks/lxc_commit.yml b/etc-git/tasks/lxc_commit.yml index 26fc8738..1c3d0d67 100644 --- a/etc-git/tasks/lxc_commit.yml +++ b/etc-git/tasks/lxc_commit.yml @@ -1,15 +1,15 @@ --- - name: "Assert that we have been called with `container` defined" - assert: + ansible.builtin.assert: that: - container is defined - name: "Define path to /etc in {{ container }} container" - set_fact: + ansible.builtin.set_fact: container_etc: "{{ ('/var/lib/lxc', container, 'rootfs/etc') | path_join }}" - name: "Check if /etc is a git repository in {{ container }}" - stat: + ansible.builtin.stat: path: "{{ (container_etc, '.git') | path_join }}" get_attributes: no get_checksum: no @@ -17,7 +17,7 @@ register: "container_etc_git" - name: "Evocommit /etc of {{ container }}" - command: + ansible.builtin.command: argv: - /usr/local/bin/evocommit - '--ansible' diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index ac28e1e7..bae705d3 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Git is installed (Debian) - apt: + ansible.builtin.apt: name: git state: present tags: @@ -10,12 +10,12 @@ - ansible_distribution == "Debian" - name: Install and configure utilities - include: utils.yml + ansible.builtin.include: utils.yml tags: - etc-git - name: Configure repositories - include: repositories.yml + ansible.builtin.include: repositories.yml tags: - etc-git when: etc_git_config_repositories | bool \ No newline at end of file diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index 71ff0665..d9d64ad6 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -1,6 +1,6 @@ --- -- include: repository.yml +- ansible.builtin.include: repository.yml vars: repository_path: "/etc" gitignore_items: @@ -15,18 +15,18 @@ - etc-git - name: verify /usr/share/scripts presence - stat: + ansible.builtin.stat: path: /usr/share/scripts register: _usr_share_scripts tags: - etc-git -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: - _usr_share_scripts.stat.isdir -- include: repository.yml +- ansible.builtin.include: repository.yml vars: repository_path: "/usr/share/scripts" gitignore_items: [] diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index 7ebfc773..1601a157 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -1,11 +1,12 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: repository_path is search("/usr") - name: "{{ repository_path }} is versioned with git" - command: "git init ." + ansible.builtin.command: + cmd: "git init ." args: chdir: "{{ repository_path }}" creates: "{{ repository_path }}/.git/" @@ -14,7 +15,7 @@ - etc-git - name: Git user.email is configured - git_config: + community.general.git_config: name: user.email repo: "{{ repository_path }}" scope: local @@ -23,7 +24,7 @@ - etc-git - name: "{{ repository_path }}/.git is restricted to root" - file: + ansible.builtin.file: path: "{{ repository_path }}/.git" owner: root mode: "0700" @@ -32,7 +33,7 @@ - etc-git - name: "{{ repository_path }}/.gitignore is present" - copy: + ansible.builtin.copy: src: gitignore dest: "{{ repository_path }}/.gitignore" owner: root @@ -42,7 +43,7 @@ - etc-git - name: "Some entries MUST be in the {{ repository_path }}/.gitignore file" - lineinfile: + ansible.builtin.lineinfile: dest: "{{ repository_path }}/.gitignore" line: "{{ item }}" loop: "{{ gitignore_items | default([]) }}" @@ -50,7 +51,8 @@ - etc-git - name: "does {{ repository_path }}/ have any commit?" - command: "git log" + ansible.builtin.command: + cmd: "git log" args: chdir: "{{ repository_path }}" changed_when: False @@ -61,7 +63,8 @@ - etc-git - name: initial commit is present? - shell: "git add -A . && git commit -m \"Initial commit via Ansible\"" + ansible.builtin.shell: + cmd: "git add -A . && git commit -m \"Initial commit via Ansible\"" args: chdir: "{{ repository_path }}" register: git_commit diff --git a/etc-git/tasks/utils.yml b/etc-git/tasks/utils.yml index 831f62a6..b54e1c61 100644 --- a/etc-git/tasks/utils.yml +++ b/etc-git/tasks/utils.yml @@ -1,12 +1,12 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - etc-git - name: "evocommit script is installed" - copy: + ansible.builtin.copy: src: evocommit dest: /usr/local/bin/evocommit mode: "0755" @@ -15,7 +15,7 @@ - etc-git - name: "ansible-commit script is installed" - copy: + ansible.builtin.copy: src: ansible-commit dest: /usr/local/bin/ansible-commit mode: "0755" @@ -24,7 +24,7 @@ - etc-git - name: "etc-git-optimize script is installed" - copy: + ansible.builtin.copy: src: etc-git-optimize dest: /usr/share/scripts/etc-git-optimize mode: "0755" @@ -33,7 +33,7 @@ - etc-git - name: "etc-git-status script is installed" - copy: + ansible.builtin.copy: src: etc-git-status dest: /usr/share/scripts/etc-git-status mode: "0755" @@ -42,8 +42,8 @@ - etc-git - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash failed_when: False changed_when: False @@ -52,7 +52,7 @@ - block: - name: Legacy cron jobs for /etc/.git status are absent - file: + ansible.builtin.file: dest: "{{ item }}" state: absent loop: @@ -60,7 +60,7 @@ - /etc/cron.d/etc-git-status - name: Cron job for monthly git optimization - cron: + ansible.builtin.cron: name: "Monthly optimization" cron_file: etc-git special_time: "monthly" @@ -68,7 +68,7 @@ job: "/usr/share/scripts/etc-git-optimize" - name: Cron job for hourly git status - cron: + ansible.builtin.cron: name: "Hourly warning for unclean Git repository if nobody is connected" cron_file: etc-git special_time: "hourly" @@ -77,7 +77,7 @@ state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}" - name: Cron job for daily git status - cron: + ansible.builtin.cron: name: "Daily warning for unclean Git repository" cron_file: etc-git user: root diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index 1ea11783..b188bfe7 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -1,25 +1,27 @@ - name: newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases - name: Test Apache conf - command: apache2ctl -t + ansible.builtin.command: + cmd: apache2ctl -t notify: "Reload Apache conf" - name: reload apache2 - service: + ansible.builtin.service: name: apache2 state: reloaded - name: apt update - apt: + ansible.builtin.apt: update_cache: yes - name: reload squid3 - service: + ansible.builtin.service: name: squid3 state: reloaded - name: reload squid - service: + ansible.builtin.service: name: squid state: reloaded diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 26327569..bc844393 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -1,27 +1,29 @@ --- - name: Do no install certbot crontab - set_fact: + ansible.builtin.set_fact: certbot_custom_crontab: False -- include_role: +- ansible.builtin.include_role: name: evolix/certbot -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Disable /etc/cron.d/certbot - command: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled + ansible.builtin.command: + cmd: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled args: removes: /etc/cron.d/certbot - name: Disable /etc/cron.daily/certbot - command: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled + ansible.builtin.command: + cmd: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled args: removes: /etc/cron.daily/certbot - name: Install evoacme custom cron - copy: + ansible.builtin.copy: src: evoacme.cron dest: /etc/cron.daily/evoacme mode: "0755" diff --git a/evoacme/tasks/conf.yml b/evoacme/tasks/conf.yml index 402fbdcf..125feb32 100644 --- a/evoacme/tasks/conf.yml +++ b/evoacme/tasks/conf.yml @@ -1,5 +1,5 @@ --- -- ini_file: +- community.general.ini_file: dest: "{{ evoacme_crt_dir }}/openssl.cnf" section: 'req' option: "{{ item.name }}" @@ -11,7 +11,7 @@ - { name: 'prompt', var: 'no' } - name: Update openssl conf - ini_file: + community.general.ini_file: dest: "{{ evoacme_crt_dir }}/openssl.cnf" section: 'req_dn' option: "{{ item.name }}" @@ -25,7 +25,7 @@ - { name: 'emailAddress', var: "{{ evoacme_ssl_email }}" } - name: Copy new evoacme conf - template: + ansible.builtin.template: src: templates/evoacme.conf.j2 dest: /etc/default/evoacme owner: root diff --git a/evoacme/tasks/evoacme_hook.yml b/evoacme/tasks/evoacme_hook.yml index 2951fa00..14963944 100644 --- a/evoacme/tasks/evoacme_hook.yml +++ b/evoacme/tasks/evoacme_hook.yml @@ -1,18 +1,19 @@ --- - name: "Create {{ hook_name }} hook directory" - file: + ansible.builtin.file: dest: "{{ evoacme_hooks_dir }}" state: directory - name: "Search for {{ hook_name }} hook" - command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)" + ansible.builtin.command: + cmd: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)" check_mode: no changed_when: False register: _find_hook - name: "Copy {{ hook_name }} hook if missing" - copy: + ansible.builtin.copy: src: "hooks/{{ hook_name }}" dest: "{{ evoacme_hooks_dir }}/{{ hook_name }}" mode: "0750" diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index 1cc84c5d..29e3e89f 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -1,16 +1,16 @@ --- - name: Verify Debian version - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '>=') msg: only compatible with Debian >= 9 when: not (evoacme_disable_debian_check | bool) -- include: certbot.yml +- ansible.builtin.include: certbot.yml -- include: permissions.yml +- ansible.builtin.include: permissions.yml # Enable this task if you want to deploy hooks # - include: evoacme_hook.yml @@ -18,6 +18,6 @@ # hook_name: "{{ item }}" # loop: [] -- include: conf.yml +- ansible.builtin.include: conf.yml -- include: scripts.yml +- ansible.builtin.include: scripts.yml diff --git a/evoacme/tasks/permissions.yml b/evoacme/tasks/permissions.yml index 69bcbe12..4d10ff7e 100644 --- a/evoacme/tasks/permissions.yml +++ b/evoacme/tasks/permissions.yml @@ -1,7 +1,7 @@ --- - name: Fix crt directory permissions - file: + ansible.builtin.file: path: "{{ evoacme_crt_dir }}" mode: "0755" owner: root @@ -9,7 +9,7 @@ state: directory - name: "Fix hooks directory permissions" - file: + ansible.builtin.file: path: "{{ evoacme_hooks_dir }}" mode: "0700" owner: root @@ -17,7 +17,7 @@ state: directory - name: Fix log directory permissions - file: + ansible.builtin.file: path: "{{ evoacme_log_dir }}" mode: "0755" owner: root @@ -25,7 +25,7 @@ state: directory - name: Fix challenge directory permissions - file: + ansible.builtin.file: path: "{{ evoacme_acme_dir }}" mode: "0755" owner: root diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml index 89aacff8..e70e990f 100644 --- a/evoacme/tasks/scripts.yml +++ b/evoacme/tasks/scripts.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create CSR dir - file: + ansible.builtin.file: path: "{{ evoacme_csr_dir }}" state: directory owner: root @@ -12,7 +12,7 @@ mode: "0755" - name: Copy make-csr.sh script - copy: + ansible.builtin.copy: src: make-csr.sh dest: /usr/local/sbin/make-csr owner: root @@ -20,7 +20,7 @@ mode: "0755" - name: Copy vhost-domains.sh script - copy: + ansible.builtin.copy: src: vhost-domains.sh dest: /usr/local/sbin/vhost-domains owner: root @@ -28,7 +28,7 @@ mode: "0755" - name: Copy evoacme script - copy: + ansible.builtin.copy: src: evoacme.sh dest: /usr/local/sbin/evoacme owner: root @@ -36,7 +36,7 @@ mode: "0755" - name: Delete scripts in old location - file: + ansible.builtin.file: path: "/usr/local/bin/{{ item }}" state: absent loop: diff --git a/evobackup-client/handlers/main.yml b/evobackup-client/handlers/main.yml index de71f634..f7d98aa9 100644 --- a/evobackup-client/handlers/main.yml +++ b/evobackup-client/handlers/main.yml @@ -1,17 +1,20 @@ --- - name: restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: - "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - "'minifirewall started' not in minifirewall_init_restart.stdout" - name: 'created new jail' - command: "bkctld restart {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld restart {{ evolinux_hostname }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}" - name: 'jail updated' - command: "bkctld restart {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld restart {{ evolinux_hostname }}" # - "bkctld sync {{ evolinux_hostname }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}" when: evobackup_client__hosts | length > 1 diff --git a/evobackup-client/tasks/jail.yml b/evobackup-client/tasks/jail.yml index fbb6080c..5eb0c36e 100644 --- a/evobackup-client/tasks/jail.yml +++ b/evobackup-client/tasks/jail.yml @@ -1,7 +1,8 @@ --- - name: 'create jail' - command: "bkctld init {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld init {{ evolinux_hostname }}" args: creates: "/backup/jails/{{ evolinux_hostname }}/" become: true @@ -15,7 +16,8 @@ # temp fix for bkctld 2.x because the ip and key command return 1 # if the jail is not started, see https://gitea.evolix.org/evolix/evobackup/issues/31 - name: 'start jail' - command: "bkctld restart {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld restart {{ evolinux_hostname }}" become: true delegate_to: "{{ evobackup_client__hosts[0].ip }}" tags: @@ -23,7 +25,8 @@ - evobackup_client_jail - name: 'add ip to jail' - command: "bkctld ip {{ evolinux_hostname }} {{ ansible_host }}" + ansible.builtin.command: + cmd: "bkctld ip {{ evolinux_hostname }} {{ ansible_host }}" become: true delegate_to: "{{ evobackup_client__hosts[0].ip }}" notify: 'jail updated' @@ -32,7 +35,8 @@ - evobackup_client_jail - name: 'add key to jail' - command: "bkctld key {{ evolinux_hostname }} /root/{{ evolinux_hostname }}.pub" + ansible.builtin.command: + cmd: "bkctld key {{ evolinux_hostname }} /root/{{ evolinux_hostname }}.pub" become: true delegate_to: "{{ evobackup_client__hosts[0].ip }}" notify: 'jail updated' @@ -41,7 +45,8 @@ - evobackup_client_jail - name: 'get jail port' - command: "bkctld port {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld port {{ evolinux_hostname }}" become: true register: bkctld_port delegate_to: "{{ evobackup_client__hosts[0].ip }}" @@ -50,7 +55,7 @@ - evobackup_client_jail - name: 'register jail port' - set_fact: + ansible.builtin.set_fact: evobackup_ssh_port={{ bkctld_port.stdout }} tags: - evobackup_client diff --git a/evobackup-client/tasks/main.yml b/evobackup-client/tasks/main.yml index a2dd4405..4b01a276 100644 --- a/evobackup-client/tasks/main.yml +++ b/evobackup-client/tasks/main.yml @@ -1,26 +1,26 @@ --- -- include: "ssh_key.yml" +- ansible.builtin.include: "ssh_key.yml" tags: - evobackup_client - evobackup_client_backup_ssh_key -- include: "jail.yml" +- ansible.builtin.include: "jail.yml" tags: - evobackup_client - evobackup_client_jail -- include: "upload_scripts.yml" +- ansible.builtin.include: "upload_scripts.yml" tags: - evobackup_client - evobackup_client_backup_scripts -- include: "open_ssh_ports.yml" +- ansible.builtin.include: "open_ssh_ports.yml" tags: - evobackup_client - evobackup_client_backup_firewall -- include: "verify_ssh.yml" +- ansible.builtin.include: "verify_ssh.yml" tags: - evobackup_client - evobackup_client_backup_hosts diff --git a/evobackup-client/tasks/open_ssh_ports.yml b/evobackup-client/tasks/open_ssh_ports.yml index 3d1701ef..837996e4 100644 --- a/evobackup-client/tasks/open_ssh_ports.yml +++ b/evobackup-client/tasks/open_ssh_ports.yml @@ -1,7 +1,7 @@ --- - name: Is there a Minifirewall ? - stat: + ansible.builtin.stat: path: /etc/default/minifirewall register: evobackup_client__minifirewall tags: @@ -9,7 +9,7 @@ - evobackup_client_backup_firewall - name: Add backup SSH port in /etc/default/minifirewall - blockinfile: + ansible.builtin.blockinfile: dest: /etc/default/minifirewall marker: "# {mark} {{ item.name }}" block: | diff --git a/evobackup-client/tasks/ssh_key.yml b/evobackup-client/tasks/ssh_key.yml index 6438634e..1b2617f9 100644 --- a/evobackup-client/tasks/ssh_key.yml +++ b/evobackup-client/tasks/ssh_key.yml @@ -1,7 +1,7 @@ --- - name: Create SSH key - user: + ansible.builtin.user: name: root generate_ssh_key: true ssh_key_file: "{{ evobackup_client__root_key_path }}" @@ -12,7 +12,7 @@ - evobackup_client_backup_ssh_key - name: Print SSH key - debug: + ansible.builtin.debug: var: evobackup_client__root_key.ssh_public_key when: evobackup_client__root_key.ssh_public_key is defined tags: @@ -20,7 +20,7 @@ - evobackup_client_backup_ssh_key - name: 'copy ssh public key to backup server' - copy: + ansible.builtin.copy: content: "{{ evobackup_client__root_key.ssh_public_key }}" dest: "/root/{{ evolinux_hostname }}.pub" become: true diff --git a/evobackup-client/tasks/upload_scripts.yml b/evobackup-client/tasks/upload_scripts.yml index 1ef4a74f..1349a72d 100644 --- a/evobackup-client/tasks/upload_scripts.yml +++ b/evobackup-client/tasks/upload_scripts.yml @@ -1,7 +1,7 @@ --- - name: Upload evobackup script - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ evobackup_client__cron_path }}" force: true diff --git a/evobackup-client/tasks/verify_ssh.yml b/evobackup-client/tasks/verify_ssh.yml index d48fb455..07238f9e 100644 --- a/evobackup-client/tasks/verify_ssh.yml +++ b/evobackup-client/tasks/verify_ssh.yml @@ -1,7 +1,7 @@ --- - name: Verify evolix backup servers - known_hosts: + ansible.builtin.known_hosts: path: /root/.ssh/known_hosts name: "[{{ item.name }}]:{{ item.port }}" key: "[{{ item.name }}]:{{ item.port }} {{ item.fingerprint }}" diff --git a/evocheck/tasks/cron.yml b/evocheck/tasks/cron.yml index ecf1e1d0..cfea8ca2 100644 --- a/evocheck/tasks/cron.yml +++ b/evocheck/tasks/cron.yml @@ -1,8 +1,8 @@ --- - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash failed_when: False changed_when: False @@ -10,7 +10,7 @@ register: is_cron_installed - name: evocheck crontab is updated - template: + ansible.builtin.template: src: crontab.j2 dest: /etc/cron.d/evocheck mode: "0644" diff --git a/evocheck/tasks/exec.yml b/evocheck/tasks/exec.yml index 306cf019..d5aa9320 100644 --- a/evocheck/tasks/exec.yml +++ b/evocheck/tasks/exec.yml @@ -1,6 +1,7 @@ --- - name: run evocheck - command: "{{ evocheck_bin_dir }}/evocheck.sh" + ansible.builtin.command: + cmd: "{{ evocheck_bin_dir }}/evocheck.sh" register: evocheck_run changed_when: False failed_when: False @@ -8,7 +9,7 @@ tags: - evocheck-exec -- debug: +- ansible.builtin.debug: var: evocheck_run.stdout_lines when: evocheck_run.stdout | length > 0 tags: diff --git a/evocheck/tasks/install.yml b/evocheck/tasks/install.yml index 8abd7d57..b210302b 100644 --- a/evocheck/tasks/install.yml +++ b/evocheck/tasks/install.yml @@ -1,12 +1,12 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: evocheck_bin_dir is search("/usr") tags: - evocheck - name: Scripts dir is present - file: + ansible.builtin.file: path: "{{ evocheck_bin_dir }}" state: directory owner: root @@ -16,22 +16,22 @@ - evocheck - name: Script for Debian 7 and earlier - set_fact: + ansible.builtin.set_fact: evocheck_script_src: evocheck.wheezy.sh when: ansible_distribution_major_version is version('7', '<=') - name: Script for Debian 8 - set_fact: + ansible.builtin.set_fact: evocheck_script_src: evocheck.jessie.sh when: ansible_distribution_major_version is version('8', '=') - name: Script for Debian 9 and later - set_fact: + ansible.builtin.set_fact: evocheck_script_src: evocheck.sh when: ansible_distribution_major_version is version('9', '>=') - name: Copy evocheck.sh - copy: + ansible.builtin.copy: src: "{{ evocheck_script_src }}" dest: "{{ evocheck_bin_dir }}/evocheck.sh" mode: "0700" @@ -41,7 +41,7 @@ - evocheck - name: Copy evocheck.cf - copy: + ansible.builtin.copy: src: evocheck.cf dest: /etc/evocheck.cf force: no diff --git a/evocheck/tasks/main.yml b/evocheck/tasks/main.yml index 14c6988f..ad47a24e 100644 --- a/evocheck/tasks/main.yml +++ b/evocheck/tasks/main.yml @@ -1,6 +1,6 @@ --- -- include: install.yml +- ansible.builtin.include: install.yml -- include: cron.yml +- ansible.builtin.include: cron.yml when: evocheck_update_crontab | bool diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index 388bf051..1c6df437 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -1,75 +1,81 @@ --- - name: dpkg-reconfigure-debconf - command: dpkg-reconfigure --frontend noninteractive debconf + ansible.builtin.command: + cmd: dpkg-reconfigure --frontend noninteractive debconf - name: dpkg-reconfigure-locales - command: dpkg-reconfigure --frontend noninteractive locales + ansible.builtin.command: + cmd: dpkg-reconfigure --frontend noninteractive locales - name: dpkg-reconfigure-apt - command: dpkg-reconfigure --frontend noninteractive apt-listchanges + ansible.builtin.command: + cmd: dpkg-reconfigure --frontend noninteractive apt-listchanges # - name: debconf-set-selections # command: debconf-set-selections /root/debconf-preseed - name: apt update - apt: + ansible.builtin.apt: update_cache: yes - name: restart rsyslog - service: + ansible.builtin.service: name: rsyslog state: restarted - name: remount /home - command: mount -o remount /home + ansible.builtin.command: + cmd: mount -o remount /home - name: remount /var - command: mount -o remount /var + ansible.builtin.command: + cmd: mount -o remount /var - name: restart nginx - service: + ansible.builtin.service: name: nginx state: restarted - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded - name: restart apache - service: + ansible.builtin.service: name: apache2 state: restarted - name: reload apache - service: + ansible.builtin.service: name: apache2 state: reloaded - name: restart cron - service: + ansible.builtin.service: name: cron state: restarted - name: newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases changed_when: False - name: reload sshd - service: + ansible.builtin.service: name: ssh state: reloaded - name: reload postfix - service: + ansible.builtin.service: name: postfix state: reloaded - name: restart log2mail - service: + ansible.builtin.service: name: log2mail state: restarted diff --git a/evolinux-base/tasks/etc-evolinux.yml b/evolinux-base/tasks/etc-evolinux.yml index e8ceb996..5ee3c238 100644 --- a/evolinux-base/tasks/etc-evolinux.yml +++ b/evolinux-base/tasks/etc-evolinux.yml @@ -9,5 +9,5 @@ # mode: "0700" # state: directory -- include_role: +- ansible.builtin.include_role: name: evolix/evolinux-todo diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml index 6e1673a6..a146ec5c 100644 --- a/evolinux-base/tasks/hardware.dell.yml +++ b/evolinux-base/tasks/hardware.dell.yml @@ -7,7 +7,8 @@ # This is still incompatible with Debian - name: Check if PERC HBA11 device is present - ansible.builtin.shell: "lspci | grep -qE 'MegaRAID.*SAS39xx'" + ansible.builtin.shell: + cmd: "lspci | grep -qE 'MegaRAID.*SAS39xx'" check_mode: no register: perc_hba11_search failed_when: False @@ -74,7 +75,7 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: hwraid_sources is changed diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index d9b0cdcd..30badf70 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -67,13 +67,13 @@ - packages - name: "HP" - import_tasks: hardware.hp.yml + ansible.builtin.import_tasks: hardware.hp.yml when: - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout or 'Adaptec Smart Storage PQI' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool - name: "Dell" - import_tasks: hardware.dell.yml + ansible.builtin.import_tasks: hardware.dell.yml when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 35b48830..fc9f5b87 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: "System compatibility checks" - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') msg: only compatible with Debian >= 8 - name: Apt configuration - include_role: + ansible.builtin.include_role: name: evolix/apt vars: apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" @@ -18,52 +18,52 @@ when: evolinux_apt_include | bool - name: /etc versioning with Git - include_role: + ansible.builtin.include_role: name: evolix/etc-git when: evolinux_etcgit_include | bool - name: /etc/evolinux base - import_tasks: etc-evolinux.yml + ansible.builtin.import_tasks: etc-evolinux.yml when: evolinux_etcevolinux_include | bool - name: Hostname - import_tasks: hostname.yml + ansible.builtin.import_tasks: hostname.yml when: evolinux_hostname_include | bool - name: Kernel tuning - import_tasks: kernel.yml + ansible.builtin.import_tasks: kernel.yml when: evolinux_kernel_include | bool - name: Fstab configuration - import_tasks: fstab.yml + ansible.builtin.import_tasks: fstab.yml when: evolinux_fstab_include | bool - name: Packages - import_tasks: packages.yml + ansible.builtin.import_tasks: packages.yml when: evolinux_packages_include | bool - name: System settings - import_tasks: system.yml + ansible.builtin.import_tasks: system.yml when: evolinux_system_include | bool - name: Minifirewall - include_role: + ansible.builtin.include_role: name: evolix/minifirewall when: evolinux_minifirewall_include | bool - name: Evomaintenance - include_role: + ansible.builtin.include_role: name: evolix/evomaintenance when: evolinux_evomaintenance_include | bool - name: SSH configuration (single file) - import_tasks: ssh.single-file.yml + ansible.builtin.import_tasks: ssh.single-file.yml when: - ansible_distribution_major_version is version('12', '<') - evolinux_ssh_include | bool - name: SSH configuration (included-files) - import_tasks: ssh.included-files.yml + ansible.builtin.import_tasks: ssh.included-files.yml when: - ansible_distribution_major_version is version('12', '>=') - evolinux_ssh_include | bool @@ -75,71 +75,71 @@ # when: evolinux_users_include - name: Root user configuration - import_tasks: root.yml + ansible.builtin.import_tasks: root.yml when: evolinux_root_include | bool - name: Postfix - import_tasks: postfix.yml + ansible.builtin.import_tasks: postfix.yml when: evolinux_postfix_include | bool - name: Logs management - import_tasks: logs.yml + ansible.builtin.import_tasks: logs.yml when: evolinux_logs_include | bool - name: Default index page - import_tasks: default_www.yml + ansible.builtin.import_tasks: default_www.yml when: evolinux_default_www_include | bool - name: Hardware drivers and tools - import_tasks: hardware.yml + ansible.builtin.import_tasks: hardware.yml when: - evolinux_hardware_include | bool - ansible_virtualization_role == "host" - name: Customize for Online.net - import_tasks: provider_online.yml + ansible.builtin.import_tasks: provider_online.yml when: evolinux_provider_online_include | bool - name: Customize for Orange FCE - import_tasks: provider_orange_fce.yml + ansible.builtin.import_tasks: provider_orange_fce.yml when: evolinux_provider_orange_fce_include | bool - name: Override Log2mail service - import_tasks: log2mail.yml + ansible.builtin.import_tasks: log2mail.yml when: evolinux_log2mail_include | bool -- import_tasks: motd.yml +- ansible.builtin.import_tasks: motd.yml when: evolinux_motd_include | bool -- import_tasks: utils.yml +- ansible.builtin.import_tasks: utils.yml when: evolinux_utils_include | bool - name: Munin - include_role: + ansible.builtin.include_role: name: evolix/munin when: evolinux_munin_include | bool - name: Nagios/NRPE - include_role: + ansible.builtin.include_role: name: evolix/nagios-nrpe when: evolinux_nagios_nrpe_include | bool - name: fail2ban - include_role: + ansible.builtin.include_role: name: evolix/fail2ban when: evolinux_fail2ban_include | bool - name: Evocheck - include_role: + ansible.builtin.include_role: name: evolix/evocheck when: evolinux_evocheck_include | bool - name: Listupgrade - include_role: + ansible.builtin.include_role: name: evolix/listupgrade when: evolinux_listupgrade_include | bool - name: Generate ldif script - include_role: + ansible.builtin.include_role: name: evolix/generate-ldif when: evolinux_generateldif_include | bool diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index c6965e09..ecad62d9 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -34,7 +34,7 @@ # TODO : find a way to force the console-data configuration # non-interactively (like tzdata ↑) -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Ensure automagic vim conf is disabled @@ -129,7 +129,7 @@ - is_cron_installed.rc == 0 - evolinux_system_cron_random | bool -- include_role: +- ansible.builtin.include_role: name: evolix/ntpd ## alert5 diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 76fbac82..a97be579 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -1,9 +1,9 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr -- include_tasks: +- ansible.builtin.include_tasks: file: dump-server-state.yml - name: "/sbin/deny script is present" diff --git a/evolinux-todo/tasks/cat.yml b/evolinux-todo/tasks/cat.yml index 58e3ba4c..e1d4faf8 100644 --- a/evolinux-todo/tasks/cat.yml +++ b/evolinux-todo/tasks/cat.yml @@ -1,13 +1,14 @@ --- - name: cat /etc/evolinux/todo.txt - command: "cat /etc/evolinux/todo.txt" + ansible.builtin.command: + cmd: "cat /etc/evolinux/todo.txt" register: evolinux_todo changed_when: False failed_when: False check_mode: no - name: "Content of /etc/evolinux/todo.txt" - debug: + ansible.builtin.debug: var: evolinux_todo.stdout_lines when: evolinux_todo.stdout | length > 0 diff --git a/evolinux-todo/tasks/main.yml b/evolinux-todo/tasks/main.yml index 8b5fa6b7..0cf5628c 100644 --- a/evolinux-todo/tasks/main.yml +++ b/evolinux-todo/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: /etc/evolinux is present - file: + ansible.builtin.file: dest: /etc/evolinux mode: "0700" state: directory when: ansible_distribution == "Debian" - name: /etc/evolinux/todo.txt is present - copy: + ansible.builtin.copy: src: todo.defaults.txt dest: /etc/evolinux/todo.txt mode: "0640" diff --git a/evolinux-users/handlers/main.yml b/evolinux-users/handlers/main.yml index a94909a5..039ab7c2 100644 --- a/evolinux-users/handlers/main.yml +++ b/evolinux-users/handlers/main.yml @@ -1,9 +1,10 @@ --- - name: reload sshd - service: + ansible.builtin.service: name: sshd state: reloaded - name: newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases changed_when: False diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index 1e9cc5a3..f0fd703a 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -1,18 +1,18 @@ --- - name: "System compatibility checks" - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') msg: only compatible with Debian >= 8 -- debug: +- ansible.builtin.debug: msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" when: evolinux_users | length == 0 - name: Create user accounts - include: user.yml + ansible.builtin.include: user.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -21,8 +21,8 @@ - evolinux_users | length > 0 - name: Configure sudo - include: sudo.yml + ansible.builtin.include: sudo.yml - name: Configure SSH - include: ssh.yml + ansible.builtin.include: ssh.yml when: evolinux_users | length > 0 diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 25a08297..9110911f 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -1,51 +1,53 @@ --- - name: verify AllowGroups directive - command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_allowgroups_ssh -- debug: +- ansible.builtin.debug: var: grep_allowgroups_ssh verbosity: 1 - name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_allowusers_ssh -- debug: +- ansible.builtin.debug: var: grep_allowusers_ssh verbosity: 1 -- assert: +- ansible.builtin.assert: that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" msg: "We can't deal with AllowUsers and AllowGroups at the same time" -- set_fact: +- ansible.builtin.set_fact: # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+", ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}" # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10" ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}" -- debug: +- ansible.builtin.debug: var: ssh_allowgroups verbosity: 1 -- debug: +- ansible.builtin.debug: var: ssh_allowusers verbosity: 1 -- include: ssh_allowgroups.yml +- ansible.builtin.include: ssh_allowgroups.yml when: - ssh_allowgroups - not ssh_allowusers -- include: ssh_allowusers.yml +- ansible.builtin.include: ssh_allowusers.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -55,11 +57,11 @@ - not ssh_allowgroups - name: disable root login - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd when: evolinux_root_disable_ssh | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index a4e4ee54..2dac1f80 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -3,14 +3,15 @@ # this check must be repeated for each user # even if it's been done before - name: verify AllowGroups directive - command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_allowgroups_ssh - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowGroups {{ evolinux_ssh_group }}" insertafter: 'Subsystem' @@ -19,7 +20,7 @@ when: grep_allowgroups_ssh.rc != 0 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' replace: '\1 {{ evolinux_ssh_group }}' diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index 1aa31f3c..00827a46 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -3,14 +3,15 @@ # this check must be repeated for each user # even if it's been done before - name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_allowusers_ssh - name: "Add AllowUsers sshd directive with '{{ user.name }}'" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ user.name }}" insertafter: 'Subsystem' @@ -19,7 +20,7 @@ when: grep_allowusers_ssh.rc != 0 - name: "Append '{{ user.name }}' to AllowUsers sshd directive" - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' replace: '\1 {{ user.name }}' @@ -28,14 +29,15 @@ when: grep_allowusers_ssh.rc == 0 - name: "verify Match User directive" - command: "grep -E '^Match User' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^Match User' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_matchuser_ssh - name: "Add Match User sshd directive with '{{ user.name }}'" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" @@ -44,7 +46,7 @@ when: grep_matchuser_ssh.rc != 0 - name: "Append '{{ user.name }}' to Match User's sshd directive" - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^(Match User ((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index 769e7a4e..85149147 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -1,6 +1,6 @@ --- -- include: sudo_jessie.yml +- ansible.builtin.include: sudo_jessie.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -11,9 +11,9 @@ - block: - - include: sudo_stretch_common.yml + - ansible.builtin.include: sudo_stretch_common.yml - - include: sudo_stretch_user.yml + - ansible.builtin.include: sudo_stretch_user.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -24,4 +24,4 @@ - ansible_distribution_major_version is defined - ansible_distribution_major_version is version('9', '>=') -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml index d3f70198..6400a8ee 100644 --- a/evolinux-users/tasks/sudo_jessie.yml +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -1,7 +1,7 @@ --- - name: "Verify Evolinux sudoers file presence (jessie)" - template: + ansible.builtin.template: src: sudoers_jessie.j2 dest: /etc/sudoers.d/evolinux force: no @@ -10,7 +10,7 @@ register: copy_sudoers_evolinux - name: "Add user in sudoers file for '{{ user.name }}' (jessie)" - replace: + ansible.builtin.replace: dest: /etc/sudoers.d/evolinux regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' diff --git a/evolinux-users/tasks/sudo_stretch_common.yml b/evolinux-users/tasks/sudo_stretch_common.yml index fb8f9ac7..ba7fb50b 100644 --- a/evolinux-users/tasks/sudo_stretch_common.yml +++ b/evolinux-users/tasks/sudo_stretch_common.yml @@ -1,7 +1,7 @@ --- - name: "/etc/sudoers.d presence and permissions" - file: + ansible.builtin.file: path: /etc/sudoers.d owner: root group: root @@ -9,7 +9,7 @@ state: directory - name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)" - template: + ansible.builtin.template: src: sudoers_stretch.j2 dest: /etc/sudoers.d/evolinux force: no @@ -18,6 +18,7 @@ register: copy_sudoers_evolinux - name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)" - group: + + ansible.builtin.group: name: "{{ evolinux_sudo_group }}" system: yes diff --git a/evolinux-users/tasks/sudo_stretch_user.yml b/evolinux-users/tasks/sudo_stretch_user.yml index 97f1f77d..40830535 100644 --- a/evolinux-users/tasks/sudo_stretch_user.yml +++ b/evolinux-users/tasks/sudo_stretch_user.yml @@ -1,13 +1,13 @@ --- - name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "{{ evolinux_sudo_group }}" append: yes - name: "Add user to 'adm' group (Debian 9 or later)" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "adm" append: yes diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 0f8bd480..5bba2e0e 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -2,23 +2,25 @@ # Unix account -- fail: +- ansible.builtin.fail: msg: "You must provide a value for the 'user.name ' variable." when: (user.name is not defined) or (user.name | length == 0) -- fail: +- ansible.builtin.fail: msg: "You must provide a value for the 'user.uid ' variable." when: (user.uid is not defined) or (user.uid | string | length == 0) - name: "Test if '{{ user.name }}' exists" - command: 'id -u "{{ user.name }}"' + ansible.builtin.command: + cmd: 'id -u "{{ user.name }}"' register: get_id_from_login failed_when: False changed_when: False check_mode: no - name: "Test if uid '{{ user.uid }}' exists" - command: 'id -un -- "{{ user.uid }}"' + ansible.builtin.command: + cmd: 'id -un -- "{{ user.uid }}"' register: get_login_from_id failed_when: False changed_when: False @@ -28,7 +30,7 @@ # the uid already exists # and the user associated with this uid is not the desired user - name: "Fail if uid already exists for another user" - fail: + ansible.builtin.fail: msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'" when: - get_login_from_id.rc == 0 @@ -38,7 +40,7 @@ # the user doesn't already exist and the uid isn't already used # or the user exists with the defined uid - name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')" - user: + ansible.builtin.user: state: present uid: '{{ user.uid }}' name: '{{ user.name }}' @@ -53,7 +55,7 @@ # the user doesn't already exist but the defined uid is already used # or another user already exists with a the same uid - name: "Unix account for '{{ user.name }}' is present (with random uid)" - user: + ansible.builtin.user: state: present name: '{{ user.name }}' comment: '{{ user.fullname }}' @@ -64,12 +66,12 @@ - (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name) - name: Is /etc/aliases present? - stat: + ansible.builtin.stat: path: /etc/aliases register: etc_aliases - name: Set mail alias - lineinfile: + ansible.builtin.lineinfile: state: present dest: /etc/aliases line: '{{ user.name }}: root' @@ -82,13 +84,14 @@ ## Group for SSH authorizations - name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)" - group: + + ansible.builtin.group: name: "{{ evolinux_ssh_group }}" state: present when: ansible_distribution_major_version is version('10', '>=') - name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "{{ evolinux_ssh_group }}" append: yes @@ -97,7 +100,8 @@ ## Optional group for all evolinux users - name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)" - group: + + ansible.builtin.group: name: "{{ evolinux_internal_group }}" state: present when: @@ -106,7 +110,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "{{ evolinux_internal_group }}" append: yes @@ -118,7 +122,8 @@ ## Optional secondary groups, defined per user - name: "Secondary Unix groups are present" - group: + + ansible.builtin.group: name: "{{ group }}" loop: "{{ user.groups }}" loop_control: @@ -128,7 +133,7 @@ - user.groups | length > 0 - name: "Unix user '{{ user.name }}' belongs to secondary groups" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "{{ user.groups | join(',') }}" append: yes @@ -139,7 +144,7 @@ # Permissions on home directory - name: "Home directory for '{{ user.name }}' is not accessible by group and other users" - file: + ansible.builtin.file: name: '/home/{{ user.name }}' mode: "0700" state: directory @@ -147,7 +152,8 @@ # Evomaintenance - name: Search profile for presence of evomaintenance - command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile' + ansible.builtin.command: + cmd: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile' changed_when: False failed_when: False check_mode: no @@ -155,7 +161,7 @@ ## Don't add the trap if it is present or commented - name: "User '{{ user.name }}' has its shell trap for evomaintenance" - lineinfile: + ansible.builtin.lineinfile: state: present dest: '/home/{{ user.name }}/.profile' insertafter: EOF @@ -165,7 +171,7 @@ # SSH keys - name: "SSH directory for '{{ user.name }}' is present" - file: + ansible.builtin.file: dest: '/home/{{ user.name }}/.ssh/' state: directory mode: "0700" @@ -173,7 +179,7 @@ group: '{{ user.name }}' - name: "SSH public key for '{{ user.name }}' is present" - authorized_key: + ansible.posix.authorized_key: user: "{{ user.name }}" key: "{{ user.ssh_key }}" state: present @@ -182,7 +188,7 @@ - user.ssh_key | length > 0 - name: "SSH public keys for '{{ user.name }}' are present" - authorized_key: + ansible.posix.authorized_key: user: "{{ user.name }}" key: "{{ ssk_key }}" state: present @@ -193,4 +199,4 @@ - user.ssh_keys is defined - user.ssh_keys | length > 0 -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evomaintenance/handlers/main.yml b/evomaintenance/handlers/main.yml index 37c9af95..63cfcd86 100644 --- a/evomaintenance/handlers/main.yml +++ b/evomaintenance/handlers/main.yml @@ -1,14 +1,15 @@ --- - name: restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: - "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - "'minifirewall started' not in minifirewall_init_restart.stdout" - name: restart minifirewall (noop) - meta: noop + ansible.builtin.meta: noop register: minifirewall_init_restart failed_when: False changed_when: False diff --git a/evomaintenance/tasks/config.yml b/evomaintenance/tasks/config.yml index 99339874..d3e7a1b7 100644 --- a/evomaintenance/tasks/config.yml +++ b/evomaintenance/tasks/config.yml @@ -1,6 +1,6 @@ --- -- assert: +- ansible.builtin.assert: that: - evomaintenance_api_endpoint is not none - evomaintenance_api_key is not none @@ -8,7 +8,7 @@ when: evomaintenance_hook_api | bool - name: Configuration is installed - template: + ansible.builtin.template: src: evomaintenance.j2 dest: /etc/evomaintenance.cf owner: root diff --git a/evomaintenance/tasks/install_package_debian.yml b/evomaintenance/tasks/install_package_debian.yml index ce9d90e7..f4a16d00 100644 --- a/evomaintenance/tasks/install_package_debian.yml +++ b/evomaintenance/tasks/install_package_debian.yml @@ -1,14 +1,14 @@ --- - name: Evolix public repositry is installed - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: evolix_public.yml tags: - evomaintenance - name: Package is installed - apt: + ansible.builtin.apt: name: evomaintenance allow_unauthenticated: yes tags: diff --git a/evomaintenance/tasks/install_vendor_debian.yml b/evomaintenance/tasks/install_vendor_debian.yml index 99448e3c..c8fb6183 100644 --- a/evomaintenance/tasks/install_vendor_debian.yml +++ b/evomaintenance/tasks/install_vendor_debian.yml @@ -1,7 +1,7 @@ --- - name: Dependencies are installed - apt: + ansible.builtin.apt: name: - sudo - curl @@ -10,7 +10,7 @@ - evomaintenance - name: PG dependencies are installed - apt: + ansible.builtin.apt: name: - postgresql-client state: present @@ -18,13 +18,13 @@ tags: - evomaintenance -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - evomaintenance - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -34,7 +34,7 @@ - evomaintenance - name: Evomaintenance script and template are installed - copy: + ansible.builtin.copy: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: root diff --git a/evomaintenance/tasks/install_vendor_other.yml b/evomaintenance/tasks/install_vendor_other.yml index a28eeab3..ece9aae2 100644 --- a/evomaintenance/tasks/install_vendor_other.yml +++ b/evomaintenance/tasks/install_vendor_other.yml @@ -1,12 +1,12 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - evomaintenance - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -16,7 +16,7 @@ - evomaintenance - name: Evomaintenance script and template are installed - copy: + ansible.builtin.copy: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: root diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 1f4a6f55..88a41900 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -1,24 +1,24 @@ --- -- include: install_package_debian.yml +- ansible.builtin.include: install_package_debian.yml when: - not (evomaintenance_install_vendor | bool) - ansible_distribution == "Debian" -- include: install_vendor_debian.yml +- ansible.builtin.include: install_vendor_debian.yml when: - evomaintenance_install_vendor | bool - ansible_distribution == "Debian" -- include: install_vendor_other.yml +- ansible.builtin.include: install_vendor_other.yml when: - evomaintenance_install_vendor | bool - ansible_distribution != "Debian" -- include: config.yml +- ansible.builtin.include: config.yml -- include: minifirewall.yml +- ansible.builtin.include: minifirewall.yml when: - evomaintenance_hook_db | bool - ansible_distribution == "Debian" diff --git a/evomaintenance/tasks/minifirewall.yml b/evomaintenance/tasks/minifirewall.yml index 98dad15b..8b02a83b 100644 --- a/evomaintenance/tasks/minifirewall.yml +++ b/evomaintenance/tasks/minifirewall.yml @@ -1,17 +1,17 @@ --- -- set_fact: +- ansible.builtin.set_fact: minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" - name: Is minifirewall installed? - stat: + ansible.builtin.stat: path: /etc/default/minifirewall register: minifirewall_default_file tags: - evomaintenance - name: minifirewall section for evomaintenance - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/minifirewall line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" insertafter: "^# EvoMaintenance" @@ -22,7 +22,7 @@ - evomaintenance - name: remove minifirewall example rule for the proxy - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/minifirewall regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' state: absent @@ -32,7 +32,8 @@ - evomaintenance - name: Force restart minifirewall - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: restart minifirewall when: minifirewall_restart_force | bool tags: diff --git a/evomaintenance/tasks/trap.yml b/evomaintenance/tasks/trap.yml index 0c3b70e0..004a6513 100644 --- a/evomaintenance/tasks/trap.yml +++ b/evomaintenance/tasks/trap.yml @@ -1,5 +1,5 @@ - name: is {{ home }}/.bash_profile present? - stat: + ansible.builtin.stat: path: "{{ home }}/.bash_profile" check_mode: no register: bash_profile @@ -7,7 +7,7 @@ - evomaintenance - name: install shell trap in {{ home }}/.bash_profile - lineinfile: + ansible.builtin.lineinfile: dest: "{{ home }}/.bash_profile" line: "trap \"sudo /usr/share/scripts/evomaintenance.sh\" 0" insertafter: EOF @@ -17,7 +17,7 @@ - evomaintenance - name: is {{ home }}/.profile present? - stat: + ansible.builtin.stat: path: "{{ home }}/.profile" check_mode: no register: profile @@ -26,7 +26,7 @@ - evomaintenance - name: install shell trap in {{ home }}/.profile - lineinfile: + ansible.builtin.lineinfile: dest: "{{ home }}/.profile" line: "trap \"sudo /usr/share/scripts/evomaintenance.sh\" 0" insertafter: EOF diff --git a/fail2ban/handlers/main.yml b/fail2ban/handlers/main.yml index 85f32698..49db2f25 100644 --- a/fail2ban/handlers/main.yml +++ b/fail2ban/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart fail2ban - service: + ansible.builtin.service: name: fail2ban state: restarted - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml index dbf9c0d9..6fa86c91 100644 --- a/fail2ban/tasks/fix-dbpurgeage.yml +++ b/fail2ban/tasks/fix-dbpurgeage.yml @@ -6,23 +6,24 @@ state: present - name: Register bantime from default config from package - shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1" + ansible.builtin.shell: + cmd: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1" register: dbpurgeage changed_when: False check_mode: false - name: - set_fact: + ansible.builtin.set_fact: dbpurgeage_default : "{{ dbpurgeage.stdout }}" when: dbpurgeage.stdout | regex_search("^\\d+\w+$") - name: - set_fact: + ansible.builtin.set_fact: dbpurgeage_default : "{{ dbpurgeage.stdout }} second" when: dbpurgeage.stdout | regex_search("^\\d+$") - name: Add crontab - template: + ansible.builtin.template: src: fail2ban_dbpurge.j2 dest: /etc/cron.daily/fail2ban_dbpurge mode: 0700 diff --git a/fail2ban/tasks/ip_whitelist.yml b/fail2ban/tasks/ip_whitelist.yml index f899e618..02cdb3c9 100644 --- a/fail2ban/tasks/ip_whitelist.yml +++ b/fail2ban/tasks/ip_whitelist.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}" - name: Update ignoreips lists - ini_file: + community.general.ini_file: dest: /etc/fail2ban/jail.local section: "DEFAULT" option: "ignoreip" diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index b9c2d109..1629a02a 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -3,7 +3,7 @@ # or we risk being jailed by fail2ban - name: Prepare fail2ban hierarchy - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: root @@ -16,13 +16,13 @@ tags: - fail2ban -- set_fact: +- ansible.builtin.set_fact: fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}" tags: - fail2ban - name: local jail is installed - template: + ansible.builtin.template: src: jail.local.j2 dest: /etc/fail2ban/jail.local mode: "0644" @@ -32,13 +32,13 @@ - fail2ban - name: Include ignoredips update task - include: ip_whitelist.yml + ansible.builtin.include: ip_whitelist.yml when: fail2ban_force_update_ignore_ips | bool tags: - fail2ban - name: custom filters are installed - copy: + ansible.builtin.copy: src: "{{ item }}" dest: /etc/fail2ban/filter.d/ mode: "0644" @@ -53,7 +53,7 @@ - fail2ban - name: package fail2ban is installed - apt: + ansible.builtin.apt: name: fail2ban state: present tags: @@ -61,7 +61,7 @@ - packages - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugins check_mode: no register: etc_munin_plugins @@ -70,7 +70,7 @@ - munin - name: is fail2ban Munin plugin available ? - stat: + ansible.builtin.stat: path: /usr/share/munin/plugins/fail2ban check_mode: no register: fail2ban_munin_plugin @@ -79,7 +79,7 @@ - munin - name: Enable Munin plugins - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/fail2ban" dest: "/etc/munin/plugins/fail2ban" state: link @@ -92,7 +92,7 @@ - munin - name: "Extend dbpurgeage if recidive jail is enabled" - blockinfile: + ansible.builtin.blockinfile: dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage marker: "# ANSIBLE MANAGED" block: | @@ -106,7 +106,7 @@ - fail2ban_recidive - name: Fix dbpurgeage for stretch and buster - include: fix-dbpurgeage.yml + ansible.builtin.include: fix-dbpurgeage.yml when: - ansible_distribution_release == "stretch" or ansible_distribution_release == "buster" tags: diff --git a/filebeat/handlers/main.yml b/filebeat/handlers/main.yml index 3ad08a63..8456ee33 100644 --- a/filebeat/handlers/main.yml +++ b/filebeat/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: restart filebeat - systemd: + ansible.builtin.systemd: name: filebeat state: restarted when: not ansible_check_mode diff --git a/filebeat/tasks/apt_sources.yml b/filebeat/tasks/apt_sources.yml index d6597c74..a0395ffe 100644 --- a/filebeat/tasks/apt_sources.yml +++ b/filebeat/tasks/apt_sources.yml @@ -31,6 +31,6 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: elastic_sources is changed \ No newline at end of file diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 0c20cc6c..86dd617b 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - import_tasks: apt_sources.yml + ansible.builtin.import_tasks: apt_sources.yml args: apply: tags: @@ -8,7 +8,7 @@ - packages - name: Filebeat is installed - apt: + ansible.builtin.apt: name: filebeat state: "{% if filebeat_upgrade_package %}latest{% else %}present{% endif %}" notify: restart filebeat @@ -17,20 +17,21 @@ - packages - name: Filebeat service is enabled - systemd: + ansible.builtin.systemd: name: filebeat enabled: yes notify: restart filebeat when: not ansible_check_mode - name: is logstash-plugin available? - stat: + ansible.builtin.stat: path: /usr/share/logstash/bin/logstash-plugin check_mode: no register: logstash_plugin - name: is logstash-input-beats installed? - command: grep logstash-input-beats /usr/share/logstash/Gemfile + ansible.builtin.command: + cmd: grep logstash-input-beats /usr/share/logstash/Gemfile check_mode: no register: logstash_plugin_installed failed_when: False @@ -41,11 +42,11 @@ - name: Logstash plugin is installed block: - - include_role: + - ansible.builtin.include_role: name: evolix/remount-usr - name: logstash-plugin install logstash-input-beats - command: /usr/share/logstash/bin/logstash-plugin install logstash-input-beats + ansible.builtin.command: /usr/share/logstash/bin/logstash-plugin install logstash-input-beats when: - filebeat_logstash_plugin | bool - logstash_plugin.stat.exists @@ -54,7 +55,7 @@ # When we don't use a config template (default) - block: - name: cloud_metadata processor is disabled - replace: + ansible.builtin.replace: dest: /etc/filebeat/filebeat.yml regexp: '^(\s+)(- add_cloud_metadata:)' replace: '\1# \2' @@ -62,7 +63,7 @@ when: not (filebeat_processors_cloud_metadata | bool) - name: cloud_metadata processor is disabled - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml line: " - add_cloud_metadata: ~" insert_after: '^processors:' @@ -70,7 +71,7 @@ when: filebeat_processors_cloud_metadata | bool - name: Filebeat knows where to find Elasticsearch - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml regexp: '^ hosts: .*' line: " hosts: [\"{{ filebeat_elasticsearch_hosts | join('\", \"') }}\"]" @@ -79,7 +80,7 @@ when: filebeat_elasticsearch_hosts | length > 0 - name: Filebeat protocol for Elasticsearch - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml regexp: '^ #?protocol: .*' line: " protocol: \"{{ filebeat_elasticsearch_protocol }}\"" @@ -88,7 +89,7 @@ when: filebeat_elasticsearch_protocol == "http" or filebeat_elasticsearch_protocol == "https" - name: Filebeat auth/username for Elasticsearch are configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml regexp: '{{ item.regexp }}' line: '{{ item.line }}' @@ -105,7 +106,7 @@ - not ansible_check_mode - name: Filebeat api_key for Elasticsearch are configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml regexp: '^ #?api_key: .*' line: ' api_key: "{{ filebeat_elasticsearch_auth_api_key }}"' @@ -116,7 +117,7 @@ # When we use a config template - block: - name: Configuration is up-to-date - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/filebeat/filebeat.yml force: "{{ filebeat_force_config }}" diff --git a/fluentd/handlers/main.yml b/fluentd/handlers/main.yml index 2468cef3..e87c76ab 100644 --- a/fluentd/handlers/main.yml +++ b/fluentd/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart fluentd - systemd: + ansible.builtin.systemd: name: td-agent state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index fa9a0470..b6f262c1 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Add Fluentd GPG key - copy: + ansible.builtin.copy: src: treasuredata.asc dest: "{{ apt_keyring_dir }}/treasuredata.asc" force: yes @@ -13,7 +13,7 @@ - fluentd - name: Add Treasuredata repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/treasuredata.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" filename: treasuredata state: present @@ -35,12 +35,12 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: treasuredata_sources is changed - name: Fluentd is installed. - apt: + ansible.builtin.apt: name: td-agent state: present tags: @@ -48,7 +48,7 @@ - packages - name: Fluentd is configured. - template: + ansible.builtin.template: src: td-agent.conf.j2 dest: "{{ fluentd_conf_path }}" mode: "0644" @@ -57,7 +57,7 @@ - fluentd - name: Fluentd is running and enabled on boot. - systemd: + ansible.builtin.systemd: name: td-agent enabled: yes state: started @@ -65,7 +65,7 @@ - fluentd - name: NRPE check is configured - lineinfile: + ansible.builtin.lineinfile: path: /etc/nagios/nrpe.d/evolix.cfg line: 'command[check_fluentd]=/usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}' notify: "restart nagios-nrpe-server" diff --git a/generate-ldif/tasks/exec.yml b/generate-ldif/tasks/exec.yml index 213560a5..0c25758a 100644 --- a/generate-ldif/tasks/exec.yml +++ b/generate-ldif/tasks/exec.yml @@ -1,6 +1,7 @@ --- - name: run generateldif - command: '{{ general_scripts_dir }}/generateldif.sh' + ansible.builtin.command: + cmd: '{{ general_scripts_dir }}/generateldif.sh' register: generateldif_run changed_when: False failed_when: False @@ -8,7 +9,7 @@ tags: - generateldif-exec -- debug: +- ansible.builtin.debug: var: generateldif_run.stdout_lines verbosity: 1 tags: diff --git a/generate-ldif/tasks/main.yml b/generate-ldif/tasks/main.yml index 019f5a83..29acb2fc 100644 --- a/generate-ldif/tasks/main.yml +++ b/generate-ldif/tasks/main.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: general_scripts_dir is search("/usr") - name: "copy generateldif.sh" - template: + ansible.builtin.template: src: templates/generateldif.sh.j2 dest: '{{ general_scripts_dir }}/generateldif.sh' owner: root diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml index 9cf3b9cb..a20031f1 100644 --- a/haproxy/handlers/main.yml +++ b/haproxy/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: reload haproxy - service: + ansible.builtin.service: name: haproxy state: reloaded - name: restart haproxy - service: + ansible.builtin.service: name: haproxy state: restarted - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index d38e83af..12fdd224 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: ssl-cert package is installed - apt: + ansible.builtin.apt: name: ssl-cert state: present tags: @@ -8,7 +8,7 @@ - packages - name: HAProxy SSL directory is present - file: + ansible.builtin.file: path: /etc/haproxy/ssl owner: root group: root @@ -19,7 +19,8 @@ - ssl - name: Self-signed certificate is present in HAProxy ssl directory - shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem" + ansible.builtin.shell: + cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem" args: creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem notify: reload haproxy @@ -28,7 +29,7 @@ - ssl - name: HAProxy stats_access_ips are present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/haproxy/stats_access_ips create: yes block: | @@ -42,7 +43,7 @@ - update-config - name: HAProxy stats_admin_ips are present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/haproxy/stats_admin_ips create: yes block: | @@ -56,7 +57,7 @@ - update-config - name: HAProxy maintenance_ips are present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/haproxy/maintenance_ips create: yes block: | @@ -70,7 +71,7 @@ - update-config - name: HAProxy deny_ips are present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/haproxy/deny_ips create: yes block: | @@ -83,11 +84,11 @@ - config - update-config -- include: packages_backports.yml +- ansible.builtin.include: packages_backports.yml when: haproxy_backports | bool - name: Install HAProxy package - apt: + ansible.builtin.apt: name: haproxy state: present tags: @@ -95,7 +96,7 @@ - packages - name: Copy HAProxy configuration - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/haproxy/haproxy.cfg force: "{{ haproxy_force_config }}" @@ -115,7 +116,7 @@ - update-config - name: Rotate logs with dateext - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.d/haproxy line: ' dateext' regexp: '^\s*#*\s*(no)?dateext' @@ -125,7 +126,7 @@ - logrotate - name: Rotate logs with nodelaycompress - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.d/haproxy line: ' nodelaycompress' regexp: '^\s*#*\s*(no)?delaycompress' @@ -135,7 +136,7 @@ - logrotate - name: Set net.ipv4.ip_nonlocal_bind - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_nonlocal_bind value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}" sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}" @@ -147,4 +148,4 @@ - haproxy_allow_ip_nonlocal_bind is defined - haproxy_allow_ip_nonlocal_bind is not none -- include: munin.yml +- ansible.builtin.include: munin.yml diff --git a/haproxy/tasks/munin.yml b/haproxy/tasks/munin.yml index 1f65dbe3..e2f2302d 100644 --- a/haproxy/tasks/munin.yml +++ b/haproxy/tasks/munin.yml @@ -1,6 +1,6 @@ --- - name: Install Munin plugin and dependencies - apt: + ansible.builtin.apt: name: - munin-plugins-extra - liblwp-useragent-determined-perl @@ -9,7 +9,7 @@ - haproxy - name: Enable Munin Haproxy plugins - file: + ansible.builtin.file: src: /usr/share/munin/plugins/haproxy_ng dest: /etc/munin/plugins/haproxy_ng force: yes @@ -19,7 +19,7 @@ - haproxy - name: Copy Munin Haproxy config - template: + ansible.builtin.template: src: munin.conf.j2 dest: /etc/munin/plugin-conf.d/haproxy mode: "0644" diff --git a/haproxy/tasks/packages_backports.yml b/haproxy/tasks/packages_backports.yml index eab4fbca..5832c4d4 100644 --- a/haproxy/tasks/packages_backports.yml +++ b/haproxy/tasks/packages_backports.yml @@ -1,26 +1,26 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/apt tasks_from: backports.yml tags: - haproxy - packages -- set_fact: +- ansible.builtin.set_fact: haproxy_backports_packages: "{{ haproxy_backports_packages_stretch }}" when: ansible_distribution_release == 'stretch' -- set_fact: +- ansible.builtin.set_fact: haproxy_backports_packages: "{{ haproxy_backports_packages_buster }}" when: ansible_distribution_release == 'buster' -- set_fact: +- ansible.builtin.set_fact: haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}" when: ansible_distribution_release == 'bullseye' - name: Prefer HAProxy package from backports - template: + ansible.builtin.template: src: haproxy_apt_preferences.j2 dest: /etc/apt/preferences.d/999-haproxy force: yes @@ -31,7 +31,7 @@ - packages - name: update apt - apt: + ansible.builtin.apt: update_cache: yes when: haproxy_apt_preferences is changed tags: diff --git a/java/tasks/main.yml b/java/tasks/main.yml index f899bf1c..d07ce5eb 100644 --- a/java/tasks/main.yml +++ b/java/tasks/main.yml @@ -3,8 +3,8 @@ # msg: "This role support only java 8 for now !" # when: java_version != 8 -- include: openjdk.yml +- ansible.builtin.include: openjdk.yml when: java_alternative == 'openjdk' -- include: oracle.yml +- ansible.builtin.include: oracle.yml when: java_alternative == 'oracle' diff --git a/java/tasks/openjdk.yml b/java/tasks/openjdk.yml index 13135d9c..e0d947db 100644 --- a/java/tasks/openjdk.yml +++ b/java/tasks/openjdk.yml @@ -1,12 +1,12 @@ --- - name: Decide which Debian release to use - set_fact: + ansible.builtin.set_fact: java_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}' tags: - java - name: Install jessie-backports - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: backports.yml when: ansible_distribution_release == "jessie" @@ -14,7 +14,7 @@ - java - name: Install default openjdk package - apt: + ansible.builtin.apt: name: "default-jre-headless" default_release: "{{ java_apt_release }}" state: present @@ -24,7 +24,7 @@ when: java_version is none - name: Install specific openjdk package - apt: + ansible.builtin.apt: name: "openjdk-{{ java_version }}-jre-headless" default_release: "{{ java_apt_release }}" state: present @@ -34,7 +34,7 @@ when: java_version is not none - name: This openjdk version is the default alternative - alternatives: + community.general.alternatives: name: java path: "{{ java_bin_path[java_version] }}" tags: diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml index 0b057695..75d181d3 100644 --- a/java/tasks/oracle.yml +++ b/java/tasks/oracle.yml @@ -1,6 +1,6 @@ --- - name: Install dependencies for build java package - apt: + ansible.builtin.apt: name: - java-package - build-essential @@ -9,7 +9,7 @@ - java - name: Create jvm dir - file: + ansible.builtin.file: path: "{{ item }}" state: directory mode: "0777" @@ -21,7 +21,7 @@ - java - name: Get Oracle jre archive - get_url: + ansible.builtin.get_url: url: 'https://download.oracle.com/otn-pub/java/jdk/8u192-b12/750e1c8617c5452694857ad95c3ee230/server-jre-8u192-linux-x64.tar.gz' dest: '/srv/java-package/src/' checksum: 'sha256:3d811a5ec65dc6fc261f488757bae86ecfe285a79992363b016f60cdb4dbe7e6' @@ -31,7 +31,8 @@ - java - name: Make Debian package from Oracle JDK archive - shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/server-jre-8u192-linux-x64.tar.gz" + ansible.builtin.shell: + cmd: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/server-jre-8u192-linux-x64.tar.gz" args: chdir: /srv/java-package creates: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb @@ -39,17 +40,17 @@ tags: - java -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Install java package - apt: + ansible.builtin.apt: deb: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb tags: - java - name: This openjdk version is the default alternative - alternatives: + community.general.alternatives: name: java path: "/usr/lib/jvm/oracle-java{{ java_version }}-server-jre-amd64/bin/java" when: java_default_alternative | bool diff --git a/jenkins/handlers/main.yml b/jenkins/handlers/main.yml index b7d269cf..a38d1b47 100644 --- a/jenkins/handlers/main.yml +++ b/jenkins/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: reload squid - service: + ansible.builtin.service: name: squid state: reloaded - name: reload squid3 - service: + ansible.builtin.service: name: squid3 state: reloaded - name: Restart Jenkins - service: + ansible.builtin.service: name: jenkins state: restarted diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 3a855f9c..1e6b777b 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -6,7 +6,7 @@ # http://jenkins.mirror.isppower.de/.* - name: Add Jenkins GPG key - copy: + ansible.builtin.copy: src: jenkins.asc dest: "{{ apt_keyring_dir }}/jenkins.asc" force: yes @@ -15,7 +15,7 @@ group: root - name: Add Jenkins APT repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/ filename: jenkins update_cache: yes @@ -30,17 +30,17 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: jenkins_sources is changed - name: Install Jenkins - apt: + ansible.builtin.apt: name: jenkins state: present - name: Change Jenkins port - replace: + ansible.builtin.replace: name: /etc/default/jenkins regexp: "^HTTP_PORT=.*$" replace: "HTTP_PORT=8081" diff --git a/keepalived/handlers/main.yml b/keepalived/handlers/main.yml index 252fe515..7c9235d2 100644 --- a/keepalived/handlers/main.yml +++ b/keepalived/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart keepalived - systemd: + ansible.builtin.systemd: name: keepalived state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted diff --git a/keepalived/tasks/main.yml b/keepalived/tasks/main.yml index b98ff1ae..3ab0f8be 100644 --- a/keepalived/tasks/main.yml +++ b/keepalived/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: install Keepalived service - apt: + ansible.builtin.apt: pkg: keepalived state: present tags: - keepalived - name: Add notify.sh script for NRPE check - file: + ansible.builtin.file: src: notify.sh dest: /etc/keepalived/notify.sh mode: "0755" @@ -21,7 +21,7 @@ - nrpe - name: check_keepalived is installed - file: + ansible.builtin.file: src: check_keepalived dest: /usr/local/lib/nagios/plugins/check_keepalived mode: "0755" @@ -33,7 +33,7 @@ - nrpe - name: Use check_keepalived for NRPE - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: 'command\[check_keepalived\]' replace: 'command[check_keepalived]=/usr/local/lib/nagios/plugins/check_keepalived' @@ -43,7 +43,7 @@ - nrpe - name: generate Keepalived configuration - template: + ansible.builtin.template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf mode: "0644" @@ -52,7 +52,7 @@ - keepalived - name: enable and restart Keepalived service - systemd: + ansible.builtin.systemd: name: keepalived daemon_reload: yes state: started diff --git a/kibana/handlers/main.yml b/kibana/handlers/main.yml index cbccd8e0..90467e19 100644 --- a/kibana/handlers/main.yml +++ b/kibana/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart kibana - systemd: + ansible.builtin.systemd: name: kibana state: restarted diff --git a/kibana/tasks/apt_sources.yml b/kibana/tasks/apt_sources.yml index d6597c74..a0395ffe 100644 --- a/kibana/tasks/apt_sources.yml +++ b/kibana/tasks/apt_sources.yml @@ -31,6 +31,6 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: elastic_sources is changed \ No newline at end of file diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 176af2d3..bcfb852a 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - import_tasks: apt_sources.yml + ansible.builtin.import_tasks: apt_sources.yml args: apply: tags: @@ -8,7 +8,7 @@ - packages - name: Kibana is installed - apt: + ansible.builtin.apt: name: kibana state: present update_cache: yes @@ -17,7 +17,7 @@ - packages - name: kibana server host configuration - lineinfile: + ansible.builtin.lineinfile: dest: /etc/kibana/kibana.yml line: "server.host: \"{{ kibana_server_host }}\"" regexp: '^server.host:' @@ -27,7 +27,7 @@ - kibana - name: kibana server basepath configuration - lineinfile: + ansible.builtin.lineinfile: dest: /etc/kibana/kibana.yml line: "server.basePath: \"{{ kibana_server_basepath }}\"" regexp: '^server.basePath:' @@ -37,7 +37,7 @@ - kibana - name: kibana log destination is present - file: + ansible.builtin.file: dest: /var/log/kibana owner: kibana group: kibana @@ -47,7 +47,7 @@ - kibana - name: kibana log messages go to custom file - lineinfile: + ansible.builtin.lineinfile: dest: /etc/kibana/kibana.yml line: "logging.dest: \"/var/log/kibana/kibana.log\"" regexp: '^logging.dest:' @@ -57,7 +57,7 @@ - kibana - name: Kibana service is enabled and started - systemd: + ansible.builtin.systemd: name: kibana enabled: yes state: started @@ -65,7 +65,7 @@ - kibana - name: Logrotate configuration is enabled - copy: + ansible.builtin.copy: src: logrotate dest: /etc/logrotate.d/kibana mode: "0644" @@ -94,7 +94,7 @@ # - optimize # - data -- include: proxy_nginx.yml +- ansible.builtin.include: proxy_nginx.yml when: kibana_proxy_nginx | bool tags: - kibana diff --git a/kibana/tasks/proxy_nginx.yml b/kibana/tasks/proxy_nginx.yml index 5849fdd6..7b680284 100644 --- a/kibana/tasks/proxy_nginx.yml +++ b/kibana/tasks/proxy_nginx.yml @@ -1,13 +1,13 @@ --- - name: Example proxy for Kibana with Nginx (with SSL) - template: + ansible.builtin.template: src: nginx_proxy_kibana_ssl.j2 dest: /etc/nginx/sites-available/kibana_ssl.conf force: no - name: Example proxy for Kibana with Nginx (without SSL) - template: + ansible.builtin.template: src: nginx_proxy_kibana_nossl.j2 dest: /etc/nginx/sites-available/kibana_nossl.conf force: no diff --git a/kvm-host/handlers/main.yml b/kvm-host/handlers/main.yml index 0b7f394e..5ca5295a 100644 --- a/kvm-host/handlers/main.yml +++ b/kvm-host/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/kvm-host/tasks/images.yml b/kvm-host/tasks/images.yml index b9ec57a8..9e8a7670 100644 --- a/kvm-host/tasks/images.yml +++ b/kvm-host/tasks/images.yml @@ -3,13 +3,13 @@ - name: Set images path when customized block: - name: "Is {{ kvm_custom_libvirt_images_path }} present ?" - stat: + ansible.builtin.stat: path: "{{ kvm_custom_libvirt_images_path }}" check_mode: no register: kvm_custom_libvirt_images_path_test - name: "read the real datadir" - command: readlink -f /var/lib/libvirt/images + ansible.builtin.command: readlink -f /var/lib/libvirt/images changed_when: False check_mode: no register: kvm_libvirt_images_current_real_path_test @@ -18,19 +18,19 @@ - name: Images directory is moved to custom path block: - name: "Move libvirt images to {{ kvm_custom_libvirt_images_path }}" - command: mv /var/lib/libvirt/images {{ kvm_custom_libvirt_images_path }} + ansible.builtin.command: mv /var/lib/libvirt/images {{ kvm_custom_libvirt_images_path }} args: creates: "{{ kvm_custom_libvirt_images_path }}" - name: Fix owner/group/permissions - file: + ansible.builtin.file: path: "{{ kvm_custom_libvirt_images_path }}" owner: root group: libvirt mode: "02775" - name: "Symlink {{ kvm_custom_libvirt_images_path }} to /var/lib/libvirt/images" - file: + ansible.builtin.file: src: "{{ kvm_custom_libvirt_images_path }}" dest: '/var/lib/libvirt/images' state: link diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml index a2f6953c..c6004b7b 100644 --- a/kvm-host/tasks/main.yml +++ b/kvm-host/tasks/main.yml @@ -1,16 +1,16 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/drbd when: kvm_install_drbd ## TODO: check why it's disabled -- include: ssh.yml +- ansible.builtin.include: ssh.yml -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: munin.yml +- ansible.builtin.include: munin.yml -- include: images.yml +- ansible.builtin.include: images.yml -- include: tools.yml +- ansible.builtin.include: tools.yml diff --git a/kvm-host/tasks/munin.yml b/kvm-host/tasks/munin.yml index d16bcfd9..45edc8d6 100644 --- a/kvm-host/tasks/munin.yml +++ b/kvm-host/tasks/munin.yml @@ -1,22 +1,22 @@ --- -- include_role: +- ansible.builtin.include_role: name: remount-usr - name: Create local munin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" - name: Get Munin plugins - get_url: + ansible.builtin.get_url: url: "https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/libvirt/{{ item }}" dest: "/usr/local/share/munin/plugins/" mode: "0755" @@ -28,7 +28,7 @@ notify: restart munin-node - name: Enable Munin plugins - file: + ansible.builtin.file: src: "/usr/local/share/munin/plugins/{{ plugin_name }}" dest: "/etc/munin/plugins/{{ plugin_name }}" state: link @@ -42,7 +42,7 @@ notify: restart munin-node - name: Copy Munin plugins conf - copy: + ansible.builtin.copy: src: files/munin-plugins dest: "/etc/munin/plugin-conf.d/kvm" mode: "0644" diff --git a/kvm-host/tasks/packages.yml b/kvm-host/tasks/packages.yml index 1b58b324..12e7897e 100644 --- a/kvm-host/tasks/packages.yml +++ b/kvm-host/tasks/packages.yml @@ -1,7 +1,7 @@ --- - name: Install packages for kvm/libvirt - apt: + ansible.builtin.apt: name: - qemu-kvm - netcat-openbsd @@ -14,7 +14,7 @@ state: present - name: Install packages for kvmstats - apt: + ansible.builtin.apt: name: - dialog - html-xml-utils diff --git a/kvm-host/tasks/ssh.yml b/kvm-host/tasks/ssh.yml index d954bc06..9ce09eb7 100644 --- a/kvm-host/tasks/ssh.yml +++ b/kvm-host/tasks/ssh.yml @@ -1,18 +1,19 @@ --- - name: Generate root ssh_key - user: + ansible.builtin.user: name: root generate_ssh_key: yes ssh_key_bits: 2048 - name: Fetch ssh public keys - command: cat /root/.ssh/id_rsa.pub + ansible.builtin.command: + cmd: cat /root/.ssh/id_rsa.pub register: ssh_keys check_mode: no changed_when: False - name: Print ssh public keys - debug: + ansible.builtin.debug: msg: "{{ ssh_keys.stdout }}" #- name: Autorize other kvm ssh key @@ -28,7 +29,7 @@ # when: item[1] != inventory_hostname - name: Crontab for sync libvirt xml file - cron: + ansible.builtin.cron: name: "sync libvirt xml on {{ kvm_pair }}" state: present special_time: "hourly" @@ -42,7 +43,7 @@ tags: crontab - name: Crontab for sync list of running vm - cron: + ansible.builtin.cron: name: "sync list of libvirt running vm on {{ kvm_pair }}" state: present special_time: "daily" diff --git a/kvm-host/tasks/tools.yml b/kvm-host/tasks/tools.yml index 1e114bb7..7931f541 100644 --- a/kvm-host/tasks/tools.yml +++ b/kvm-host/tasks/tools.yml @@ -1,17 +1,17 @@ --- - name: remove old package - apt: + ansible.builtin.apt: name: kvm-tools purge: yes state: absent -- include_role: +- ansible.builtin.include_role: name: remount-usr when: kvm_scripts_dir is search("/usr") - name: add-vm script is present - copy: + ansible.builtin.copy: src: add-vm.sh dest: "{{ kvm_scripts_dir }}/add-vm" mode: "0700" @@ -20,7 +20,7 @@ force: yes - name: migrate-vm script is present - copy: + ansible.builtin.copy: src: migrate-vm.sh dest: "{{ kvm_scripts_dir }}/migrate-vm" mode: "0700" @@ -29,7 +29,7 @@ force: yes - name: kvmstats script is present - copy: + ansible.builtin.copy: src: kvmstats.sh dest: "{{ kvm_scripts_dir }}/kvmstats" mode: "0700" @@ -38,7 +38,7 @@ force: yes - name: kvmstats cron is present - template: + ansible.builtin.template: src: kvmstats.cron.j2 dest: "/etc/cron.hourly/kvmstats" mode: "0755" @@ -46,7 +46,7 @@ group: root - name: entry for kvmstats in web page is present - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html insertbefore: '' line: '
  • kvmstats
    • ' @@ -55,13 +55,13 @@ # backward compatibility - name: remove old migrate-vm script - file: + ansible.builtin.file: path: /usr/share/scripts/migrate-vm state: absent when: "'/usr/share/scripts' not in kvm_scripts_dir" - name: remove old kvmstats script - file: + ansible.builtin.file: path: /usr/share/scripts/kvmstats state: absent when: "'/usr/share/scripts' not in kvm_scripts_dir" \ No newline at end of file diff --git a/ldap/handlers/main.yml b/ldap/handlers/main.yml index 2105f4b5..5735515b 100644 --- a/ldap/handlers/main.yml +++ b/ldap/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart slapd - service: + ansible.builtin.service: name: slapd state: restarted diff --git a/ldap/tasks/init.yml b/ldap/tasks/init.yml index 16be0842..0ab85f18 100644 --- a/ldap/tasks/init.yml +++ b/ldap/tasks/init.yml @@ -1,32 +1,35 @@ --- - name: upload ldap initial config - template: + ansible.builtin.template: src: config_ldapvi.j2 dest: /root/evolinux_ldap_config.ldapvi mode: "0640" - name: upload ldap initial entries - template: + ansible.builtin.template: src: first-entries.ldif.j2 dest: /root/evolinux_ldap_first-entries.ldif mode: "0640" - name: inject config - command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi + ansible.builtin.command: + cmd: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi environment: TERM: xterm - name: inject first entries - command: slapadd -l /root/evolinux_ldap_first-entries.ldif + ansible.builtin.command: + cmd: slapadd -l /root/evolinux_ldap_first-entries.ldif - name: upload custom schema - copy: + ansible.builtin.copy: src: "{{ ldap_schema }}" dest: "/root/{{ ldap_schema }}" mode: "0640" when: ldap_schema is defined - name: inject custom schema - command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" + ansible.builtin.command: + cmd: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" when: ldap_schema is defined \ No newline at end of file diff --git a/ldap/tasks/ldapvirc.yml b/ldap/tasks/ldapvirc.yml index f44249d6..568ad60a 100644 --- a/ldap/tasks/ldapvirc.yml +++ b/ldap/tasks/ldapvirc.yml @@ -1,13 +1,13 @@ --- - name: "Is /root/.ldapvirc present ?" - stat: + ansible.builtin.stat: path: /root/.ldapvirc check_mode: no register: root_ldapvirc_path - name: Warning when ldapvirc file is present and ldap_admin_password is given - debug: + ansible.builtin.debug: msg: "WARNING: an LDAP admin password is given, but an ldapvirc file already exists. It will not be updated." when: - ldap_admin_password | length > 0 @@ -15,13 +15,14 @@ # Generate ldap password if none is given and ldapvirc is absent - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present when: not root_ldapvirc_path.stat.exists - name: create a password for cn=admin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: new_ldap_admin_password changed_when: False when: @@ -30,20 +31,21 @@ # Use the generated password or the one found in the file - name: overwrite ldap_admin_password - set_fact: + ansible.builtin.set_fact: ldap_admin_password: "{{ new_ldap_admin_password.stdout }}" when: - ldap_admin_password | length == 0 - not root_ldapvirc_path.stat.exists - name: hash password for cn=admin - command: "slappasswd -s {{ ldap_admin_password }}" + ansible.builtin.command: + cmd: "slappasswd -s {{ ldap_admin_password }}" register: ldap_admin_password_ssha changed_when: False when: not root_ldapvirc_path.stat.exists - name: create ldapvirc config - template: + ansible.builtin.template: src: ldapvirc.j2 dest: /root/.ldapvirc mode: "0640" @@ -51,12 +53,13 @@ # Read ldap password when none is given and ldapvirc is present - name: read ldap admin password from ldapvirc file - shell: "grep -E '^password: .+$' /root/.ldapvirc | awk '{print $2}'" + ansible.builtin.shell: + cmd: "grep -E '^password: .+$' /root/.ldapvirc | awk '{print $2}'" changed_when: False check_mode: no register: new_ldap_admin_password # Use the password found in the file - name: overwrite ldap_admin_password - set_fact: + ansible.builtin.set_fact: ldap_admin_password: "{{ new_ldap_admin_password.stdout }}" diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index 9bfb6517..ca89b997 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -1,5 +1,5 @@ - name: LDAP packages are installed - apt: + ansible.builtin.apt: name: - slapd - ldap-utils @@ -9,18 +9,18 @@ update_cache: yes - name: change slapd listen ip:port - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/slapd regexp: 'SLAPD_SERVICES=.*' line: "SLAPD_SERVICES=\"{{ ldap_listen }}\"" notify: restart slapd - name: ldapvirc file - include: ldapvirc.yml + ansible.builtin.include: ldapvirc.yml - name: nagios config file for LDAP - include: nagios.yml + ansible.builtin.include: nagios.yml - name: initialize database - include: init.yml + ansible.builtin.include: init.yml when: not root_ldapvirc_path.stat.exists \ No newline at end of file diff --git a/ldap/tasks/nagios.yml b/ldap/tasks/nagios.yml index 0c92f7b3..58120baa 100644 --- a/ldap/tasks/nagios.yml +++ b/ldap/tasks/nagios.yml @@ -1,13 +1,13 @@ --- - name: "Is /etc/nagios/monitoring-plugins.ini present ?" - stat: + ansible.builtin.stat: path: /etc/nagios/monitoring-plugins.ini check_mode: no register: nagios_monitoring_plugins_path - name: Warning when nagios config is present and ldap_nagios_password is given - debug: + ansible.builtin.debug: msg: "WARNING: an LDAP nagios password is given, but a nagios config already exists. It will not be updated." when: - ldap_nagios_password | length > 0 @@ -15,7 +15,7 @@ # Generate ldap password if none is given and nagios config is absent - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present when: @@ -23,7 +23,8 @@ - not nagios_monitoring_plugins_path.stat.exists - name: create a password for cn=admin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: new_ldap_nagios_password changed_when: False when: @@ -32,14 +33,14 @@ # Use the generated password or the one found in the file - name: overwrite ldap_nagios_password (from apg) - set_fact: + ansible.builtin.set_fact: ldap_nagios_password: "{{ new_ldap_nagios_password.stdout }}" when: - ldap_nagios_password | length == 0 - not nagios_monitoring_plugins_path.stat.exists - name: set params for NRPE check - ini_file: + community.general.ini_file: dest: /etc/nagios/monitoring-plugins.ini owner: root group: nagios @@ -57,7 +58,7 @@ # Read ldap password when none is given and nagios config is present # We can't parse a remote file, so we have to fetch it first - name: Fetch /etc/nagios/monitoring-plugins.ini - fetch: + ansible.builtin.fetch: src: /etc/nagios/monitoring-plugins.ini dest: /tmp/{{ inventory_hostname }}/ flat: yes @@ -65,10 +66,11 @@ # Then web can parse it with the 'ini' lookup # and set the variable - name: overwrite ldap_nagios_password (from file) - set_fact: + ansible.builtin.set_fact: ldap_nagios_password: "{{ lookup('ini', 'pass section=check_ldap file=/tmp/{{ inventory_hostname }}/monitoring-plugins.ini') }}" - name: hash password for cn=nagios - command: "slappasswd -s {{ ldap_nagios_password }}" + ansible.builtin.command: + cmd: "slappasswd -s {{ ldap_nagios_password }}" register: ldap_nagios_password_ssha changed_when: False \ No newline at end of file diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 42864806..cc5b99aa 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Scripts dir is present - file: + ansible.builtin.file: path: "/usr/share/scripts" state: directory owner: root @@ -12,7 +12,7 @@ mode: "0700" - name: Copy listupgrade script - copy: + ansible.builtin.copy: src: listupgrade.sh dest: "/usr/share/scripts/listupgrade.sh" mode: "0700" @@ -21,7 +21,7 @@ force: yes - name: Create /etc/evolinux - file: + ansible.builtin.file: path: /etc/evolinux state: directory owner: root @@ -29,7 +29,7 @@ mode: "0700" - name: Copy listupgrade config - template: + ansible.builtin.template: src: listupgrade.cnf.j2 dest: /etc/evolinux/listupgrade.cnf mode: "0600" @@ -38,7 +38,7 @@ force: no - name: Cron.d is present - file: + ansible.builtin.file: path: "/etc/cron.d" state: directory mode: "0755" @@ -46,7 +46,7 @@ group: root - name: Enable listupgrade cron - cron: + ansible.builtin.cron: name: "listupgrade.sh" cron_file: "listupgrade" user: root @@ -59,13 +59,13 @@ state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}" - name: Remove old lisupgrade typo - cron: + ansible.builtin.cron: name: "lisupgrade.sh" cron_file: "listupgrade" state: absent - name: old-kernel-autoremoval script is present - copy: + ansible.builtin.copy: src: old-kernel-autoremoval.sh dest: /usr/share/scripts/old-kernel-autoremoval.sh mode: "0755" diff --git a/logstash/handlers/main.yml b/logstash/handlers/main.yml index 82021675..b38c949e 100644 --- a/logstash/handlers/main.yml +++ b/logstash/handlers/main.yml @@ -1,11 +1,11 @@ --- - name: restart logstash - systemd: + ansible.builtin.systemd: name: logstash state: restarted daemon_reload: yes - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes \ No newline at end of file diff --git a/logstash/tasks/apt_sources.yml b/logstash/tasks/apt_sources.yml index d6597c74..a0395ffe 100644 --- a/logstash/tasks/apt_sources.yml +++ b/logstash/tasks/apt_sources.yml @@ -31,6 +31,6 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: elastic_sources is changed \ No newline at end of file diff --git a/logstash/tasks/logs.yml b/logstash/tasks/logs.yml index b09ebaf2..8262ce29 100644 --- a/logstash/tasks/logs.yml +++ b/logstash/tasks/logs.yml @@ -1,7 +1,7 @@ --- - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -9,7 +9,7 @@ register: is_cron_installed - name: "log rotation script" - template: + ansible.builtin.template: src: rotate_logstash_logs.j2 dest: /etc/cron.daily/rotate_logstash_logs owner: root @@ -18,12 +18,12 @@ when: is_cron_installed.rc == 0 - name: "Create a system config directory for systemd overrides" - file: + ansible.builtin.file: path: /etc/systemd/system/logstash.service.d state: directory - name: "disable syslog" - ini_file: + community.general.ini_file: path: /etc/systemd/system/logstash.service.d/override.conf section: Service option: "{{ item.option }}" diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 11b0a0bf..4f3b8da7 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - import_tasks: apt_sources.yml + ansible.builtin.import_tasks: apt_sources.yml args: apply: tags: @@ -8,7 +8,7 @@ - packages - name: Logstash is installed - apt: + ansible.builtin.apt: name: logstash state: present tags: @@ -16,14 +16,14 @@ - packages - name: Logstash service is enabled - systemd: + ansible.builtin.systemd: name: logstash enabled: yes tags: - logstash - name: JVM Heap size (min) is set - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logstash/jvm.options regexp: "^-Xms" line: "-Xms{{ logstash_jvm_xms }}" @@ -32,7 +32,7 @@ - config - name: JVM Heap size (max) is set - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logstash/jvm.options regexp: "^-Xmx" line: "-Xmx{{ logstash_jvm_xmx }}" @@ -41,7 +41,7 @@ - config - name: Add a configuration - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/logstash/conf.d/logstash.conf owner: logstash @@ -60,10 +60,10 @@ - logstash - config -- debug: +- ansible.builtin.debug: var: logstash_template verbosity: 1 -- include: logs.yml +- ansible.builtin.include: logs.yml -- include: tmpdir.yml +- ansible.builtin.include: tmpdir.yml diff --git a/logstash/tasks/tmpdir.yml b/logstash/tasks/tmpdir.yml index e41b1205..ab054d34 100644 --- a/logstash/tasks/tmpdir.yml +++ b/logstash/tasks/tmpdir.yml @@ -1,18 +1,19 @@ --- - name: Check if /tmp is noexec - shell: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec" + ansible.builtin.shell: + cmd: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec" register: fstab_tmp_noexec failed_when: False changed_when: False check_mode: no - block: - - set_fact: + - ansible.builtin.set_fact: _logstash_custom_tmpdir: "{{ logstash_custom_tmpdir | default(logstash_default_tmpdir, True) | mandatory }}" - name: "Create {{ _logstash_custom_tmpdir }}" - file: + ansible.builtin.file: path: "{{ _logstash_custom_tmpdir }}" owner: logstash group: logstash @@ -22,7 +23,7 @@ - logstash - name: change JVM tmpdir - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logstash/jvm.options line: "-Djava.io.tmpdir={{ _logstash_custom_tmpdir }}" regexp: "^-Djava.io.tmpdir=" diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index 0beaa055..1a2d7a6e 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -1,57 +1,57 @@ --- - name: Reload PHP-FPM - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload {{ lxc_php_services[lxc_php_version] }}" - name: Restart PHP-FPM - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl restart {{ lxc_php_services[lxc_php_version] }}" - name: Reload php81-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php8.1-fpm" - name: Reload php80-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php8.0-fpm" - name: Reload php74-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php7.4-fpm" - name: Reload php73-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php7.3-fpm" - name: Reload php70-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php7.0-fpm" - name: Reload php56-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php5-fpm" - name: Restart opensmtpd - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl restart opensmtpd" - name: Daemon reload - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl daemon-reload" - name: Restart container - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" state: restarted diff --git a/lxc-php/tasks/mail_opensmtpd.yml b/lxc-php/tasks/mail_opensmtpd.yml index 02f36728..35d0e75b 100644 --- a/lxc-php/tasks/mail_opensmtpd.yml +++ b/lxc-php/tasks/mail_opensmtpd.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install opensmtpd" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y opensmtpd" - name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" - template: + ansible.builtin.template: src: smtpd.conf.j2 dest: "{{ lxc_rootfs }}/etc/smtpd.conf" mode: "0644" @@ -15,7 +15,7 @@ - name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" - template: + ansible.builtin.template: src: smtpd.conf.bullseye.j2 dest: "{{ lxc_rootfs }}/etc/smtpd.conf" mode: "0644" diff --git a/lxc-php/tasks/mail_ssmtp.yml b/lxc-php/tasks/mail_ssmtp.yml index f14cfe57..b57d5d77 100644 --- a/lxc-php/tasks/mail_ssmtp.yml +++ b/lxc-php/tasks/mail_ssmtp.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install ssmtp" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y ssmtp " - name: "{{ lxc_php_version }} - Configure ssmtp" - template: + ansible.builtin.template: src: ssmtp.conf.j2 dest: "{{ lxc_rootfs }}/etc/ssmtp/ssmtp.conf" mode: "0644" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index a1e91431..c3d58eba 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -5,7 +5,7 @@ when: lxc_php_version is none -- include_role: +- ansible.builtin.include_role: name: evolix/lxc vars: lxc_containers: diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index 22598ee0..248aa8e2 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -1,30 +1,30 @@ --- - name: "{{ lxc_php_version }} - Configure timezone for the container" - copy: + ansible.builtin.copy: remote_src: yes src: "/etc/timezone" dest: "{{ lxc_rootfs }}/etc/timezone" - name: "{{ lxc_php_version }} - Ensure container's root directory is 755" - file: + ansible.builtin.file: path: "{{ lxc_rootfs }}" state: directory mode: '0755' - name: "{{ lxc_php_version }} - Configure mailname for the container" - copy: + ansible.builtin.copy: content: "{{ evolinux_hostname }}.{{ evolinux_domain }}\n" dest: "{{ lxc_rootfs }}/etc/mailname" notify: "Restart opensmtpd" - name: "{{ lxc_php_version }} - Install misc packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y cron logrotate git zip unzip" - name: "{{ lxc_php_version }} - Add MySQL socket to container default mounts" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_config: - "lxc.mount.entry = /run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0" diff --git a/lxc-php/tasks/php56.yml b/lxc-php/tasks/php56.yml index b0f376d8..d210d80b 100644 --- a/lxc-php/tasks/php56.yml +++ b/lxc-php/tasks/php56.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -17,4 +17,4 @@ loop_control: loop_var: line_item -- include: "mail_ssmtp.yml" +- ansible.builtin.include: "mail_ssmtp.yml" diff --git a/lxc-php/tasks/php70.yml b/lxc-php/tasks/php70.yml index 18523846..52c96883 100644 --- a/lxc-php/tasks/php70.yml +++ b/lxc-php/tasks/php70.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -17,4 +17,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php73.yml b/lxc-php/tasks/php73.yml index 4bb037e7..ade67b97 100644 --- a/lxc-php/tasks/php73.yml +++ b/lxc-php/tasks/php73.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -17,4 +17,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 65660f92..f1dd021a 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -1,18 +1,18 @@ --- - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - fix bullseye repository" - replace: + ansible.builtin.replace: dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -23,4 +23,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 0e9d29a6..043c0174 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -6,18 +6,18 @@ - name: "{{ lxc_php_version }} - Install dependency packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" - name: "{{ lxc_php_version }} - fix bullseye repository" - replace: + ansible.builtin.replace: dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Add sury repo" - lineinfile: + ansible.builtin.lineinfile: dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" line: "{{ item }}" state: present @@ -28,7 +28,7 @@ - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main" - name: copy pub.evolix.net GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" mode: "0644" @@ -36,7 +36,7 @@ group: root - name: copy packages.sury.org GPG Key - copy: + ansible.builtin.copy: src: sury.gpg dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/sury.gpg" mode: "0644" @@ -44,17 +44,17 @@ group: root - name: "{{ lxc_php_version }} - Update APT cache" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt update" - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -65,4 +65,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 966a2880..a1e9c71b 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -5,18 +5,18 @@ lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d - name: "{{ lxc_php_version }} - Install dependency packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" - name: "{{ lxc_php_version }} - fix bullseye repository" - replace: + ansible.builtin.replace: dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Add sury repo" - lineinfile: + ansible.builtin.lineinfile: dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" line: "{{ item }}" state: present @@ -27,7 +27,7 @@ - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main" - name: copy pub.evolix.net GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" mode: "0644" @@ -35,7 +35,7 @@ group: root - name: copy packages.sury.org GPG Key - copy: + ansible.builtin.copy: src: sury.gpg dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/sury.gpg" mode: "0644" @@ -43,17 +43,17 @@ group: root - name: "{{ lxc_php_version }} - Update APT cache" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt update" - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -64,4 +64,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php82.yml b/lxc-php/tasks/php82.yml index 8ecb1e33..a83207c8 100644 --- a/lxc-php/tasks/php82.yml +++ b/lxc-php/tasks/php82.yml @@ -5,20 +5,20 @@ lxc_apt_keyring_dir: /etc/apt/keyrings - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" # TODO : adapt to Bookworm and deb822 format - name: "{{ lxc_php_version }} - fix bookworm repository" - replace: + ansible.builtin.replace: dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -29,4 +29,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-solr/tasks/main.yml b/lxc-solr/tasks/main.yml index bc279a04..fdfd1208 100644 --- a/lxc-solr/tasks/main.yml +++ b/lxc-solr/tasks/main.yml @@ -1,16 +1,16 @@ --- - name: LXC configuration - include_role: + ansible.builtin.include_role: name: evolix/lxc - name: Ensure containers root directory is 755 - file: + ansible.builtin.file: path: "/var/lib/lxc/{{ item.name }}/rootfs" state: directory mode: '0755' loop: "{{ lxc_containers }}" -- include: solr.yml +- ansible.builtin.include: solr.yml args: name: "{{ item.name }}" solr_version: "{{ item.solr_version }}" diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index a2f0c373..7eafb696 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -1,7 +1,7 @@ --- - name: "Set values for Solr < 9.0.0" - set_fact: + ansible.builtin.set_fact: tarball_url: https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz start_command: "/etc/init.d/solr start" @@ -9,7 +9,7 @@ when: "solr_version is version('9.0.0', '<')" - name: "Set values for Solr >= 9.0.0" - set_fact: + ansible.builtin.set_fact: tarball_url: https://archive.apache.org/dist/solr/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz start_command: "systemctl start solr" @@ -17,26 +17,28 @@ when: "solr_version is version('9.0.0', '>=')" - name: Install java and lsof packages - command: "lxc-attach -n {{ name }} -- apt-get install -y default-jre-headless lsof" + ansible.builtin.command: + cmd: "lxc-attach -n {{ name }} -- apt-get install -y default-jre-headless lsof" - name: "Download Solr {{ solr_version }}" - get_url: + ansible.builtin.get_url: url: "{{ tarball_url }}" dest: "{{ tarball_path }}" mode: '0644' - name: "Extract solr-{{ solr_version }}.tgz" - unarchive: + ansible.builtin.unarchive: src: "{{ tarball_path }}" dest: /var/lib/lxc/{{ name }}/rootfs/root/ remote_src: yes - name: "Make sure /home/solr exists" - file: + ansible.builtin.file: path: /home/solr/{{ name }} recurse: yes state: directory mode: '0755' - name: "Install Solr {{ solr_version }}" - command: "lxc-attach -n {{ name }} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{ name }} -p {{ solr_port }}" + ansible.builtin.command: + cmd: "lxc-attach -n {{ name }} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{ name }} -p {{ solr_port }}" diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index edeca2ec..3b70cdde 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -1,12 +1,13 @@ --- - name: "Check if container {{ name }} exists" - command: "lxc-ls {{ name }}" + ansible.builtin.command: + cmd: "lxc-ls {{ name }}" changed_when: False check_mode: no register: container_exists - name: "Create container {{ name }}" - lxc_container: + community.general.lxc_container: name: "{{ name }}" container_log: true template: debian @@ -15,45 +16,45 @@ when: container_exists.stdout_lines | length == 0 - name: "Disable network configuration inside container {{ name }}" - replace: + ansible.builtin.replace: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/networking" regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no when: lxc_network_type == "none" - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" - lineinfile: + ansible.builtin.lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" when: lxc_network_type == "none" and release == "jessie" - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" - file: + ansible.builtin.file: src: /lib/systemd/system/poweroff.target dest: "/var/lib/lxc/{{ name }}/rootfs/etc/systemd/system/sigpwr.target" state: link when: release == 'jessie' - name: "Configure the DNS resolvers in the container {{ name }}" - copy: + ansible.builtin.copy: remote_src: yes src: /etc/resolv.conf dest: "/var/lib/lxc/{{ name }}/rootfs/etc/" - name: "Add hostname in /etc/hosts for container {{ name }}" - lineinfile: + ansible.builtin.lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/hosts" line: "127.0.0.1 {{ name }}" - name: "Fix permission on /dev for container {{ name }}" - lineinfile: + ansible.builtin.lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/rc.local" line: "chmod 755 /dev" insertbefore: "^exit 0$" when: release == 'jessie' - name: "Ensure that {{ name }} container is running" - lxc_container: + community.general.lxc_container: name: "{{ name }}" state: started diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 8236b9f1..d0f9f144 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -1,56 +1,59 @@ --- - name: Install lxc tools - apt: + ansible.builtin.apt: name: - lxc - debootstrap - xz-utils - name: python-lxc is installed (Debian <= 10) - apt: + ansible.builtin.apt: name: python-lxc state: present when: ansible_python_version is version('3', '<') - name: python3-lxc is installed (Debian >= 10) - apt: + ansible.builtin.apt: name: python3-lxc state: present when: ansible_python_version is version('3', '>=') - name: Install additional packages (Debian >= 10) - apt: + ansible.builtin.apt: name: - apparmor - lxc-templates when: ansible_distribution_major_version is version('10', '>=') - name: Copy LXC default containers configuration - template: + ansible.builtin.template: src: default.conf dest: /etc/lxc/ - name: Check if root has subuids - command: grep '^root:100000:10000$' /etc/subuid + ansible.builtin.command: + cmd: grep '^root:100000:10000$' /etc/subuid failed_when: False changed_when: False register: root_subuids when: lxc_unprivilegied_containers | bool - name: Add subuid and subgid ranges to root - command: usermod -v 100000-199999 -w 100000-109999 root + ansible.builtin.command: + cmd: usermod -v 100000-199999 -w 100000-109999 root when: - lxc_unprivilegied_containers | bool - root_subuids.rc != 0 - name: Get filesystem options - command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS + ansible.builtin.command: + cmd: findmnt --noheadings --target /var/lib/lxc --output OPTIONS changed_when: False check_mode: no register: check_fs_options - name: Check if options are correct - assert: + ansible.builtin.assert: that: - "'nodev' not in check_fs_options.stdout" - "'noexec' not in check_fs_options.stdout" @@ -58,7 +61,7 @@ msg: "LXC directory is in a filesystem with incompatible options" - name: Create containers - include: create-container.yml + ansible.builtin.include: create-container.yml vars: name: "{{ item.name }}" release: "{{ item.release }}" diff --git a/memcached/handlers/main.yml b/memcached/handlers/main.yml index 136c39d7..20dbe61e 100644 --- a/memcached/handlers/main.yml +++ b/memcached/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart memcached - service: + ansible.builtin.service: name: memcached state: restarted - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted diff --git a/memcached/tasks/instance-default.yml b/memcached/tasks/instance-default.yml index 635b3576..8a0630a4 100644 --- a/memcached/tasks/instance-default.yml +++ b/memcached/tasks/instance-default.yml @@ -1,6 +1,6 @@ - name: Memcached is configured. - template: + ansible.builtin.template: src: memcached.conf.j2 dest: /etc/memcached.conf mode: "0644" @@ -9,7 +9,7 @@ - memcached - name: Memcached is running and enabled on boot. - service: + ansible.builtin.service: name: memcached enabled: yes state: started diff --git a/memcached/tasks/instance-multi.yml b/memcached/tasks/instance-multi.yml index 61568a5d..873b0b15 100644 --- a/memcached/tasks/instance-multi.yml +++ b/memcached/tasks/instance-multi.yml @@ -1,14 +1,14 @@ --- - name: Add systemd unit template - copy: + ansible.builtin.copy: src: memcached@.service dest: /etc/systemd/system/memcached@.service tags: - memcached - name: Disable default memcached systemd unit - systemd: + ansible.builtin.systemd: name: memcached enabled: false state: stopped @@ -16,14 +16,14 @@ - memcached - name: Make sure memcached.conf is absent - file: + ansible.builtin.file: path: /etc/memcached.conf state: absent tags: - memcached - name: "Create a configuration file for instance ({{ memcached_instance_name }})" - template: + ansible.builtin.template: src: memcached.conf.j2 dest: /etc/memcached_{{ memcached_instance_name }}.conf mode: "0644" @@ -31,7 +31,7 @@ - memcached - name: "Enable and start the memcached instance ({{ memcached_instance_name }})" - systemd: + ansible.builtin.systemd: name: memcached@{{ memcached_instance_name }} enabled: yes state: started diff --git a/memcached/tasks/main.yml b/memcached/tasks/main.yml index 86d0aa40..96060d4a 100644 --- a/memcached/tasks/main.yml +++ b/memcached/tasks/main.yml @@ -1,16 +1,16 @@ - name: Ensure memcached is installed - apt: + ansible.builtin.apt: name: memcached state: present tags: - memcached -- include: instance-default.yml +- ansible.builtin.include: instance-default.yml when: memcached_instance_name is undefined -- include: instance-multi.yml +- ansible.builtin.include: instance-multi.yml when: memcached_instance_name is defined -- include: munin.yml +- ansible.builtin.include: munin.yml -- include: nrpe.yml +- ansible.builtin.include: nrpe.yml diff --git a/memcached/tasks/munin.yml b/memcached/tasks/munin.yml index f97962c4..b25b9275 100644 --- a/memcached/tasks/munin.yml +++ b/memcached/tasks/munin.yml @@ -1,11 +1,11 @@ --- - name: Choose packages (Oracle) - set_fact: + ansible.builtin.set_fact: multi: "multi_" when: memcached_instance_name is defined - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -15,14 +15,14 @@ - block: - name: Install munin-plugins-extra and libcache-memcached-perl for Munin - apt: + ansible.builtin.apt: name: - 'munin-plugins-extra' - 'libcache-memcached-perl' state: present - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/share/munin/plugins/memcached_' dest: /etc/munin/plugins/{{ multi }}{{ item }} state: link diff --git a/memcached/tasks/nrpe.yml b/memcached/tasks/nrpe.yml index 9fe28942..a01cf1e7 100644 --- a/memcached/tasks/nrpe.yml +++ b/memcached/tasks/nrpe.yml @@ -1,28 +1,28 @@ --- - name: Is nrpe present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg register: nrpe_evolix_config - block: - name: Install dependencies - apt: + ansible.builtin.apt: name: - libcache-memcached-perl - libmemcached11 - - include_role: + - ansible.builtin.include_role: name: evolix/remount-usr - name: Copy Nagios check for memcached - copy: + ansible.builtin.copy: src: check_memcached.pl dest: /usr/local/lib/nagios/plugins/ mode: "0755" - name: install check_memcached_instances - copy: + ansible.builtin.copy: src: check_memcached_instances.sh dest: /usr/local/lib/nagios/plugins/check_memcached_instances force: yes @@ -31,7 +31,7 @@ group: root - name: Add NRPE check (single instance) - lineinfile: + ansible.builtin.lineinfile: name: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_memcached\]=' line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}' @@ -39,7 +39,7 @@ when: memcached_instance_name is undefined - name: Add NRPE check (multi instance) - lineinfile: + ansible.builtin.lineinfile: name: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_memcached\]=' line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached_instances' diff --git a/memcached/tasks/phpmemcachedadmin.yml b/memcached/tasks/phpmemcachedadmin.yml index 0a8e4417..1e49ae9e 100644 --- a/memcached/tasks/phpmemcachedadmin.yml +++ b/memcached/tasks/phpmemcachedadmin.yml @@ -1,6 +1,6 @@ --- - name: Create phpMemcachedAdmin root dir - file: + ansible.builtin.file: path: /var/www/phpmemcachedadmin/ state: directory mode: "0755" @@ -8,7 +8,7 @@ - memcached - name: Install phpMemcachedAdmin - unarchive: + ansible.builtin.unarchive: src: 'https://github.com/elijaa/phpmemcachedadmin/archive/1.3.0.tar.gz' dest: /var/www/phpmemcachedadmin/ remote_src: True @@ -18,7 +18,7 @@ - memcached - name: Copy phpMemcachedAdmin config - template: + ansible.builtin.template: src: Memcache.php.j2 dest: /var/www/phpmemcachedadmin/Config/Memcache.php mode: "0755" diff --git a/metricbeat/handlers/main.yml b/metricbeat/handlers/main.yml index cd83ab5d..949eac26 100644 --- a/metricbeat/handlers/main.yml +++ b/metricbeat/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart metricbeat - systemd: + ansible.builtin.systemd: name: metricbeat state: restarted diff --git a/metricbeat/tasks/apt_sources.yml b/metricbeat/tasks/apt_sources.yml index d6597c74..a0395ffe 100644 --- a/metricbeat/tasks/apt_sources.yml +++ b/metricbeat/tasks/apt_sources.yml @@ -31,6 +31,6 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: elastic_sources is changed \ No newline at end of file diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 7fc21d09..16cc4865 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - import_tasks: apt_sources.yml + ansible.builtin.import_tasks: apt_sources.yml args: apply: tags: @@ -8,7 +8,7 @@ - packages - name: Metricbeat is installed - apt: + ansible.builtin.apt: name: metricbeat state: "{% if metribeat_upgrade_package %}latest{% else %}present{% endif %}" notify: restart metricbeat @@ -17,7 +17,7 @@ - packages - name: Metricbeat service is enabled - systemd: + ansible.builtin.systemd: name: metricbeat enabled: yes notify: restart metricbeat @@ -25,7 +25,7 @@ # When we don't use a config template (default) - block: - name: Metricbeat knows where to find Elasticsearch - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml regexp: '^ hosts: .*' line: " hosts: [\"{{ metricbeat_elasticsearch_hosts | join('\", \"') }}\"]" @@ -34,7 +34,7 @@ when: metricbeat_elasticsearch_hosts | length > 0 - name: Metricbeat protocol for Elasticsearch - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml regexp: '^ #?protocol: .*' line: " protocol: \"{{ metricbeat_elasticsearch_protocol }}\"" @@ -43,7 +43,7 @@ when: metricbeat_elasticsearch_protocol == "http" or metricbeat_elasticsearch_protocol == "https" - name: Metricbeat auth/username for Elasticsearch are configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml regexp: '{{ item.regexp }}' line: '{{ item.line }}' @@ -57,7 +57,7 @@ - metricbeat_elasticsearch_auth_password | length > 0 - name: Metricbeat api_key for Elasticsearch are configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml regexp: '^ #?api_key: .*' line: ' api_key: "{{ metricbeat_elasticsearch_auth_api_key }}"' @@ -66,7 +66,7 @@ when: metricbeat_elasticsearch_auth_api_key | length > 0 - name: disable cloud_metadata - replace: + ansible.builtin.replace: dest: /etc/metricbeat/metricbeat.yml regexp: '^(\s+)(- add_cloud_metadata:)' replace: '\1# \2' @@ -74,7 +74,7 @@ when: not (metricbeat_processors_cloud_metadata | bool) - name: cloud_metadata processor is disabled - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml line: " - add_cloud_metadata: ~" insert_after: '^processors:' @@ -85,7 +85,7 @@ # When we use a config template - block: - name: Configuration is up-to-date - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/metricbeat/metricbeat.yml force: "{{ metricbeat_force_config }}" diff --git a/minifirewall/handlers/main.yml b/minifirewall/handlers/main.yml index 3c541de5..bcc6081b 100644 --- a/minifirewall/handlers/main.yml +++ b/minifirewall/handlers/main.yml @@ -1,22 +1,24 @@ --- - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart minifirewall (modern) - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" - name: restart minifirewall (legacy) - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - name: restart minifirewall (noop) - meta: noop + ansible.builtin.meta: noop register: minifirewall_init_restart failed_when: False changed_when: False \ No newline at end of file diff --git a/minifirewall/tasks/activate.yml b/minifirewall/tasks/activate.yml index e971407b..57a2ea26 100644 --- a/minifirewall/tasks/activate.yml +++ b/minifirewall/tasks/activate.yml @@ -1,12 +1,12 @@ --- - name: check if /etc/init.d/alert5 exists - stat: + ansible.builtin.stat: path: /etc/init.d/alert5 register: initd_alert5 - name: Uncomment minifirewall start line - replace: + ansible.builtin.replace: dest: /etc/init.d/alert5 regexp: '^#/etc/init.d/minifirewall start' replace: '/etc/init.d/minifirewall start' @@ -15,12 +15,12 @@ - minifirewall_autostart | bool - name: check if /usr/share/scripts/alert5 exists - stat: + ansible.builtin.stat: path: /usr/share/scripts/alert5.sh register: usr_share_scripts_alert5 - name: Uncomment minifirewall start line - replace: + ansible.builtin.replace: dest: /usr/share/scripts/alert5.sh regexp: '^#/etc/init.d/minifirewall start' replace: '/etc/init.d/minifirewall start' diff --git a/minifirewall/tasks/config.legacy.yml b/minifirewall/tasks/config.legacy.yml index a151e76c..c14e76c4 100644 --- a/minifirewall/tasks/config.legacy.yml +++ b/minifirewall/tasks/config.legacy.yml @@ -1,53 +1,54 @@ --- -- debug: +- ansible.builtin.debug: var: minifirewall_trusted_ips verbosity: 1 -- debug: +- ansible.builtin.debug: var: minifirewall_privilegied_ips verbosity: 1 - name: Stat minifirewall config file (before) - stat: + ansible.builtin.stat: path: "{{ minifirewall_main_file }}" register: minifirewall_before - name: Check if minifirewall is running - shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + ansible.builtin.shell: + cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False failed_when: False check_mode: no register: minifirewall_is_running -- debug: +- ansible.builtin.debug: var: minifirewall_is_running verbosity: 1 - name: Begin marker for IP addresses - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no - name: End marker for IP addresses - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' - name: Verify that at least 1 trusted IP is provided - assert: + ansible.builtin.assert: that: minifirewall_trusted_ips | length > 0 msg: You must provide at least 1 trusted IP -- debug: +- ansible.builtin.debug: msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!" when: minifirewall_trusted_ips == ["0.0.0.0/0"] - name: Configure IP addresses - blockinfile: + ansible.builtin.blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" block: | @@ -77,21 +78,21 @@ register: minifirewall_config_ips - name: Begin marker for ports - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no - name: End marker for ports - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no - name: Configure ports - blockinfile: + ansible.builtin.blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" block: | @@ -115,7 +116,7 @@ register: minifirewall_config_ports - name: Configure DNSSERVEURS - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" regexp: "DNSSERVEURS='.*'" @@ -123,7 +124,7 @@ when: minifirewall_dns_servers is not none - name: Configure HTTPSITES - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" @@ -131,7 +132,7 @@ when: minifirewall_http_sites is not none - name: Configure HTTPSSITES - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" regexp: "HTTPSSITES='.*'" @@ -139,7 +140,7 @@ when: minifirewall_https_sites is not none - name: Configure FTPSITES - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" regexp: "FTPSITES='.*'" @@ -147,7 +148,7 @@ when: minifirewall_ftp_sites is not none - name: Configure SSHOK - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" regexp: "SSHOK='.*'" @@ -155,7 +156,7 @@ when: minifirewall_ssh_ok is not none - name: Configure SMTPOK - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" regexp: "SMTPOK='.*'" @@ -163,7 +164,7 @@ when: minifirewall_smtp_ok is not none - name: Configure SMTPSECUREOK - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" regexp: "SMTPSECUREOK='.*'" @@ -171,7 +172,7 @@ when: minifirewall_smtp_secure_ok is not none - name: Configure NTPOK - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" regexp: "NTPOK='.*'" @@ -179,26 +180,27 @@ when: minifirewall_ntp_ok is not none - name: evomaintenance - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" insertafter: "^# EvoMaintenance" loop: "{{ evomaintenance_hosts }}" - name: remove minifirewall example rule for the evomaintenance - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' state: absent when: evomaintenance_hosts | length > 0 - name: Stat minifirewall config file (after) - stat: + ansible.builtin.stat: path: "{{ minifirewall_main_file }}" register: minifirewall_after - name: Schedule minifirewall restart (legacy) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (legacy)" when: - minifirewall_install_mode == 'legacy' @@ -207,6 +209,6 @@ - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed -- debug: +- ansible.builtin.debug: var: minifirewall_init_restart verbosity: 2 diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index b0a1d7a6..2d4da100 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -1,58 +1,58 @@ --- -- debug: +- ansible.builtin.debug: var: minifirewall_trusted_ips verbosity: 1 -- debug: +- ansible.builtin.debug: var: minifirewall_privilegied_ips verbosity: 1 - name: Stat minifirewall config file (before) - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" register: minifirewall_before - name: Check if minifirewall is running - shell: + ansible.builtin.shell: cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False failed_when: False check_mode: no register: minifirewall_is_running -- debug: +- ansible.builtin.debug: var: minifirewall_is_running verbosity: 1 - name: Begin marker for IP addresses - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no - name: End marker for IP addresses - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' - name: Verify that at least 1 trusted IP is provided - assert: + ansible.builtin.assert: that: minifirewall_trusted_ips | length > 0 msg: You must provide at least 1 trusted IP -- debug: +- ansible.builtin.debug: msg: "Warning: minifirewall_trusted_ips contains '0.0.0.0/0', the firewall is useless on IPv4!" when: "'0.0.0.0/0' in minifirewall_trusted_ips" -- debug: +- ansible.builtin.debug: msg: "Warning: minifirewall_trusted_ips contains '::/0', the firewall is useless on IPv6!" when: "'::/0' in minifirewall_trusted_ips" - name: Configure IP addresses - blockinfile: + ansible.builtin.blockinfile: dest: "/etc/default/minifirewall" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" block: | @@ -86,21 +86,21 @@ register: minifirewall_config_ips - name: Begin marker for ports - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no - name: End marker for ports - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no - name: Configure ports - blockinfile: + ansible.builtin.blockinfile: dest: "/etc/default/minifirewall" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" block: | @@ -124,7 +124,7 @@ register: minifirewall_config_ports - name: Configure DNSSERVEURS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" regexp: "DNSSERVEURS=('|\").*('|\")" @@ -132,7 +132,7 @@ when: minifirewall_dns_servers is not none - name: Configure HTTPSITES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES=('|\").*('|\")" @@ -140,7 +140,7 @@ when: minifirewall_http_sites is not none - name: Configure HTTPSSITES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" regexp: "HTTPSSITES=('|\").*('|\")" @@ -148,7 +148,7 @@ when: minifirewall_https_sites is not none - name: Configure FTPSITES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" regexp: "FTPSITES=('|\").*('|\")" @@ -156,7 +156,7 @@ when: minifirewall_ftp_sites is not none - name: Configure SSHOK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" regexp: "SSHOK=('|\").*('|\")" @@ -164,7 +164,7 @@ when: minifirewall_ssh_ok is not none - name: Configure SMTPOK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" regexp: "SMTPOK=('|\").*('|\")" @@ -172,7 +172,7 @@ when: minifirewall_smtp_ok is not none - name: Configure SMTPSECUREOK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" regexp: "SMTPSECUREOK=('|\").*('|\")" @@ -180,7 +180,7 @@ when: minifirewall_smtp_secure_ok is not none - name: Configure NTPOK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" regexp: "NTPOK=('|\").*('|\")" @@ -188,7 +188,7 @@ when: minifirewall_ntp_ok is not none - name: Configure PROXY - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "PROXY='{{ minifirewall_proxy }}'" regexp: "PROXY=('|\").*('|\")" @@ -196,7 +196,7 @@ when: minifirewall_proxy is not none - name: Configure PROXYPORT - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "PROXYPORT='{{ minifirewall_proxyport }}'" regexp: "PROXYPORT=('|\").*('|\")" @@ -206,7 +206,7 @@ # Warning: keep double quotes for the value, # since we often reference a shell variable that needs to be interpolated - name: Configure PROXYBYPASS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\"" regexp: "PROXYBYPASS=('|\").*('|\")" @@ -214,7 +214,7 @@ when: minifirewall_proxybypass is not none - name: Configure BACKUPSERVERS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'" regexp: "BACKUPSERVERS=('|\").*('|\")" @@ -222,7 +222,7 @@ when: minifirewall_backupservers is not none - name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='{{ minifirewall_sysctl_icmp_echo_ignore_broadcasts }}'" regexp: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS=('|\").*('|\")" @@ -230,7 +230,7 @@ when: minifirewall_sysctl_icmp_echo_ignore_broadcasts is not none - name: Configure SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='{{ minifirewall_sysctl_icmp_ignore_bogus_error_responses }}'" regexp: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=('|\").*('|\")" @@ -238,7 +238,7 @@ when: minifirewall_sysctl_icmp_ignore_bogus_error_responses is not none - name: Configure SYSCTL_ACCEPT_SOURCE_ROUTE - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_ACCEPT_SOURCE_ROUTE='{{ minifirewall_sysctl_accept_source_route }}'" regexp: "SYSCTL_ACCEPT_SOURCE_ROUTE=('|\").*('|\")" @@ -246,7 +246,7 @@ when: minifirewall_sysctl_accept_source_route is not none - name: Configure SYSCTL_TCP_SYNCOOKIES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_TCP_SYNCOOKIES='{{ minifirewall_sysctl_tcp_syncookies }}'" regexp: "SYSCTL_TCP_SYNCOOKIES=('|\").*('|\")" @@ -254,7 +254,7 @@ when: minifirewall_sysctl_tcp_syncookies is not none - name: Configure SYSCTL_ICMP_REDIRECTS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_ICMP_REDIRECTS='{{ minifirewall_sysctl_icmp_redirects }}'" regexp: "SYSCTL_ICMP_REDIRECTS=('|\").*('|\")" @@ -262,7 +262,7 @@ when: minifirewall_sysctl_icmp_redirects is not none - name: Configure SYSCTL_RP_FILTER - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_RP_FILTER='{{ minifirewall_sysctl_rp_filter }}'" regexp: "SYSCTL_RP_FILTER=('|\").*('|\")" @@ -270,7 +270,7 @@ when: minifirewall_sysctl_rp_filter is not none - name: Configure SYSCTL_LOG_MARTIANS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_LOG_MARTIANS='{{ minifirewall_sysctl_log_martians }}'" regexp: "SYSCTL_LOG_MARTIANS=('|\").*('|\")" @@ -278,12 +278,13 @@ when: minifirewall_sysctl_log_martians is not none - name: Stat minifirewall config file (after) - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" register: minifirewall_after - name: Schedule minifirewall restart (modern) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (modern)" when: - minifirewall_install_mode != 'legacy' @@ -291,6 +292,6 @@ - minifirewall_is_running.rc == 0 - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed -- debug: +- ansible.builtin.debug: var: minifirewall_init_restart verbosity: 2 diff --git a/minifirewall/tasks/install.legacy.yml b/minifirewall/tasks/install.legacy.yml index 323426b5..7d03efff 100644 --- a/minifirewall/tasks/install.legacy.yml +++ b/minifirewall/tasks/install.legacy.yml @@ -1,12 +1,12 @@ --- - name: dependencies are satisfied - apt: + ansible.builtin.apt: name: iptables state: present - name: init script is copied - template: + ansible.builtin.template: src: minifirewall.legacy.j2 dest: /etc/init.d/minifirewall force: "{{ minifirewall_force_upgrade_script | default('no') }}" @@ -15,7 +15,7 @@ group: root - name: configuration is copied - copy: + ansible.builtin.copy: src: minifirewall.legacy.conf dest: "{{ minifirewall_main_file }}" force: "{{ minifirewall_force_upgrade_config | default('no') }}" diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index daac6f81..1a507d31 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -1,12 +1,12 @@ --- - name: dependencies are satisfied - apt: + ansible.builtin.apt: name: iptables state: present - name: init script is copied - copy: + ansible.builtin.copy: src: minifirewall dest: /etc/init.d/minifirewall force: "{{ minifirewall_force_upgrade_script | default('no') }}" @@ -16,7 +16,7 @@ register: minifirewall_upgrade_script - name: configuration is copied - copy: + ansible.builtin.copy: src: minifirewall.conf dest: "/etc/default/minifirewall" force: "{{ minifirewall_force_upgrade_config | default('no') }}" @@ -26,7 +26,7 @@ register: minifirewall_upgrade_config - name: includes directory is present - file: + ansible.builtin.file: path: /etc/minifirewall.d/ state: directory owner: root @@ -34,7 +34,7 @@ mode: "0700" - name: examples for includes are present - copy: + ansible.builtin.copy: src: "minifirewall.d/" dest: "/etc/minifirewall.d/" force: "no" diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index e0dbcaf0..5457d60c 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -3,7 +3,7 @@ # Legacy or modern mode? ############################################## - name: Check minifirewall - stat: + ansible.builtin.stat: path: /etc/init.d/minifirewall register: _minifirewall_check tags: @@ -11,7 +11,8 @@ # Legacy versions of minifirewall don't define the VERSION variable - name: Look for minifirewall version - shell: "grep -E '^\\s*VERSION=' /etc/init.d/minifirewall" + ansible.builtin.shell: + cmd: "grep -E '^\\s*VERSION=' /etc/init.d/minifirewall" failed_when: False changed_when: False check_mode: False @@ -20,7 +21,7 @@ - always - name: Set install mode to legacy if needed - set_fact: + ansible.builtin.set_fact: minifirewall_install_mode: legacy minifirewall_main_file: "{{ minifirewall_legacy_main_file }}" minifirewall_tail_file: "{{ minifirewall_legacy_tail_file }}" @@ -32,21 +33,21 @@ - always - name: Set install mode to modern if not legacy - set_fact: + ansible.builtin.set_fact: minifirewall_install_mode: modern when: minifirewall_install_mode != 'legacy' tags: - always - name: Debug install mode - debug: + ansible.builtin.debug: var: minifirewall_install_mode verbosity: 1 tags: - always - name: 'Set minifirewall_restart_handler_name to "noop"' - set_fact: + ansible.builtin.set_fact: minifirewall_restart_handler_name: "restart minifirewall (noop)" when: - not (minifirewall_restart_if_needed | bool) @@ -54,7 +55,7 @@ - always - name: 'Set minifirewall_restart_handler_name to "legacy"' - set_fact: + ansible.builtin.set_fact: minifirewall_restart_handler_name: "restart minifirewall (legacy)" when: - minifirewall_restart_if_needed | bool @@ -63,7 +64,7 @@ - always - name: 'Set minifirewall_restart_handler_name to "modern"' - set_fact: + ansible.builtin.set_fact: minifirewall_restart_handler_name: "restart minifirewall (modern)" when: - minifirewall_restart_if_needed | bool @@ -74,7 +75,7 @@ ####################################################################### - name: Fail if minifirewall_main_file is defined (legacy mode) - fail: + ansible.builtin.fail: msg: "Variable minifirewall_main_file is deprecated and not configurable anymore." when: - minifirewall_install_mode != 'legacy' @@ -83,22 +84,22 @@ - always - name: Install tasks (modern mode) - import_tasks: install.yml + ansible.builtin.import_tasks: install.yml when: minifirewall_install_mode != 'legacy' - name: Install tasks (legacy mode) - import_tasks: install.legacy.yml + ansible.builtin.import_tasks: install.legacy.yml when: minifirewall_install_mode == 'legacy' - name: Debug minifirewall_update_config - debug: + ansible.builtin.debug: var: minifirewall_update_config | bool verbosity: 1 tags: - always - name: Config tasks (modern mode) - include_tasks: config.yml + ansible.builtin.include_tasks: config.yml when: - minifirewall_install_mode != 'legacy' - minifirewall_update_config | bool @@ -106,7 +107,7 @@ - manage - name: Config tasks (legacy mode) - include_tasks: config.legacy.yml + ansible.builtin.include_tasks: config.legacy.yml args: apply: tags: @@ -116,23 +117,23 @@ - minifirewall_update_config | bool - name: Utils tasks - include_tasks: utils.yml + ansible.builtin.include_tasks: utils.yml - name: NRPE tasks - include_tasks: nrpe.yml + ansible.builtin.include_tasks: nrpe.yml - name: Activation tasks - include_tasks: activate.yml + ansible.builtin.include_tasks: activate.yml - name: Debug minifirewall_tail_included - debug: + ansible.builtin.debug: var: minifirewall_tail_included | bool verbosity: 1 tags: - always - name: Tail tasks (modern mode) - include_tasks: tail.yml + ansible.builtin.include_tasks: tail.yml args: apply: tags: @@ -142,7 +143,7 @@ - minifirewall_tail_included | bool - name: Tail tasks (legacy mode) - include_tasks: tail.legacy.yml + ansible.builtin.include_tasks: tail.legacy.yml args: apply: tags: @@ -154,14 +155,15 @@ # Restart? - name: Debug minifirewall_restart_force - debug: + ansible.builtin.debug: var: minifirewall_restart_force | bool verbosity: 1 tags: - always - name: Force restart minifirewall (legacy) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (legacy)" tags: - always @@ -170,7 +172,8 @@ - minifirewall_restart_force | bool - name: Force restart minifirewall (modern) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (modern)" tags: - always diff --git a/minifirewall/tasks/nrpe.yml b/minifirewall/tasks/nrpe.yml index 2e9674f7..691dd454 100644 --- a/minifirewall/tasks/nrpe.yml +++ b/minifirewall/tasks/nrpe.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -12,7 +12,7 @@ state: directory - name: minifirewall_status is installed - copy: + ansible.builtin.copy: src: minifirewall_status dest: /usr/share/scripts/minifirewall_status force: "{{ minifirewall_force_update_nrpe_scripts | bool }}" @@ -21,7 +21,7 @@ group: root - name: /usr/local/lib/nagios/plugins/ exists - file: + ansible.builtin.file: dest: "{{ nagios_plugins_directory }}" mode: "02755" owner: root @@ -29,7 +29,7 @@ state: directory - name: check_minifirewall is installed - copy: + ansible.builtin.copy: src: check_minifirewall dest: "{{ nagios_plugins_directory }}/check_minifirewall" force: "{{ minifirewall_force_update_nrpe_scripts | bool }}" @@ -38,12 +38,12 @@ group: staff - name: Is NRPE installed? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg register: nrpe_evolix_cfg - name: check_minifirewall is available for NRPE - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: 'command\[check_minifirewall\]' line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall' @@ -51,12 +51,12 @@ when: nrpe_evolix_cfg.stat.exists - name: Is evolinux sudoers installed? - stat: + ansible.builtin.stat: path: /etc/sudoers.d/evolinux register: sudoers_evolinux - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_minifirewall' line: 'nagios ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_minifirewall' diff --git a/minifirewall/tasks/tail.legacy.yml b/minifirewall/tasks/tail.legacy.yml index dc7fbdc9..d78d2090 100644 --- a/minifirewall/tasks/tail.legacy.yml +++ b/minifirewall/tasks/tail.legacy.yml @@ -1,24 +1,24 @@ --- - name: Stat minifirewall config file (before) - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" register: minifirewall_before - name: Check if minifirewall is running - shell: + ansible.builtin.shell: cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False failed_when: False check_mode: no register: minifirewall_is_running -- debug: +- ansible.builtin.debug: var: minifirewall_is_running verbosity: 1 - name: Add some rules at the end of minifirewall file - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ minifirewall_tail_file }}" force: "{{ minifirewall_tail_force | bool }}" @@ -32,24 +32,25 @@ - "templates/minifirewall.default.tail.j2" register: minifirewall_tail_template -- debug: +- ansible.builtin.debug: var: minifirewall_tail_template verbosity: 1 - name: source minifirewall.tail at the end of the main file - blockinfile: + ansible.builtin.blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES" block: ". {{ minifirewall_tail_file }}" insertbefore: EOF register: minifirewall_tail_source -- debug: +- ansible.builtin.debug: var: minifirewall_tail_source verbosity: 1 - name: Schedule minifirewall restart (legacy) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (legacy)" when: - minifirewall_install_mode == 'legacy' @@ -57,6 +58,6 @@ - minifirewall_is_running.rc == 0 - minifirewall_tail_template is changed -- debug: +- ansible.builtin.debug: var: minifirewall_init_restart verbosity: 1 diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index 73d60d9c..a3911f4a 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -1,24 +1,24 @@ --- - name: Stat minifirewall config file (before) - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" register: minifirewall_before - name: Check if minifirewall is running - shell: + ansible.builtin.shell: cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False failed_when: False check_mode: no register: minifirewall_is_running -- debug: +- ansible.builtin.debug: var: minifirewall_is_running verbosity: 1 - name: Add some rules at the end of minifirewall file - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ minifirewall_tail_file }}" force: "{{ minifirewall_tail_force | bool }}" @@ -32,12 +32,13 @@ - "templates/minifirewall.default.tail.j2" register: minifirewall_tail_template -- debug: +- ansible.builtin.debug: var: minifirewall_tail_template verbosity: 1 - name: Schedule minifirewall restart (modern) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (modern)" when: - minifirewall_install_mode != 'legacy' @@ -45,6 +46,6 @@ - minifirewall_is_running.rc == 0 - minifirewall_tail_template is changed -- debug: +- ansible.builtin.debug: var: minifirewall_init_restart verbosity: 1 diff --git a/minifirewall/tasks/utils.yml b/minifirewall/tasks/utils.yml index 775bdd95..14ea7aac 100644 --- a/minifirewall/tasks/utils.yml +++ b/minifirewall/tasks/utils.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -12,7 +12,7 @@ state: directory - name: blacklist-countries.sh is copied - copy: + ansible.builtin.copy: src: blacklist-countries.sh dest: /usr/share/scripts/blacklist-countries.sh force: "no" diff --git a/minifirewall/tests/test.yml b/minifirewall/tests/test.yml index 43dd567f..a7168a68 100644 --- a/minifirewall/tests/test.yml +++ b/minifirewall/tests/test.yml @@ -3,7 +3,7 @@ vars: - minifirewall_trusted_ips: ["{{ ansible_default_ipv4.address }}/24"] pre_tasks: - - apt: + - ansible.builtin.apt: name: git roles: - role: minifirewall diff --git a/mongodb/handlers/main.yml b/mongodb/handlers/main.yml index 15f70437..7b793cdf 100644 --- a/mongodb/handlers/main.yml +++ b/mongodb/handlers/main.yml @@ -1,16 +1,16 @@ --- # handlers file for mongodb - name: restart mongod - service: + ansible.builtin.service: name: mongod state: restarted - name: restart mongodb - service: + ansible.builtin.service: name: mongodb state: restarted - name: restart munin-node - systemd: + ansible.builtin.systemd: name: munin-node state: restarted diff --git a/mongodb/tasks/main_bookworm.yml b/mongodb/tasks/main_bookworm.yml index 19bb513b..8261dcb2 100644 --- a/mongodb/tasks/main_bookworm.yml +++ b/mongodb/tasks/main_bookworm.yml @@ -1,6 +1,6 @@ --- -- fail: +- ansible.builtin.fail: msg: MongoDB is not compatible with Debian 12 (Bookworm) when: - ansible_distribution_release == "bookworm" @@ -30,48 +30,48 @@ register: _mongodb_install_package - name: MongoDB service in enabled and started - systemd: + ansible.builtin.systemd: name: mongod enabled: yes state: started when: _mongodb_install_package is changed - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python3-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongodb_bullseye.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_bullseye.j2 dest: /etc/logrotate.d/mongodb force: yes backup: no -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" - name: Munin plugins are present - copy: + ansible.builtin.copy: src: "munin/{{ item }}" dest: '/usr/local/share/munin/plugins/{{ item }}' force: yes @@ -87,7 +87,7 @@ notify: restart munin-node - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/local/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index aa20fb97..4a02ee9b 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -1,13 +1,13 @@ --- -- fail: +- ansible.builtin.fail: msg: MongoDB versions <4.2 are not compatible with Debian 11 (Bullseye) when: - ansible_distribution_release == "bullseye" - mongodb_version is version('5.2', '<') - name: Add MongoDB GPG key - copy: + ansible.builtin.copy: src: "server-{{ mongodb_version }}.asc" dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes @@ -16,61 +16,61 @@ group: root - name: Add MongoDB repository - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{ mongodb_version }}" - name: Install packages - apt: + ansible.builtin.apt: name: mongodb-org update_cache: yes state: present register: _mongodb_install_package - name: MongoDB service in enabled and started - systemd: + ansible.builtin.systemd: name: mongod enabled: yes state: started when: _mongodb_install_package is changed - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python3-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongodb_bullseye.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_bullseye.j2 dest: /etc/logrotate.d/mongodb force: yes backup: no -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" - name: Munin plugins are present - copy: + ansible.builtin.copy: src: "munin/{{ item }}" dest: '/usr/local/share/munin/plugins/{{ item }}' force: yes @@ -86,7 +86,7 @@ notify: restart munin-node - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/local/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index 44baabc9..415a5a3f 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -1,19 +1,19 @@ --- - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring - name: MongoDB embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent when: _trusted_gpg_keyring.stat.exists - name: Add MongoDB GPG key - copy: + ansible.builtin.copy: src: "server-{{ mongodb_version }}.asc" dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes @@ -22,69 +22,69 @@ group: root - name: Enable APT sources list - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Disable unsigned APT sources list - apt_repository: + ansible.builtin.apt_repository: repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: absent filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Install packages - apt: + ansible.builtin.apt: name: mongodb-org update_cache: yes state: present register: _mongodb_install_package - name: MongoDB service in enabled and started - systemd: + ansible.builtin.systemd: name: mongod enabled: yes state: started when: _mongodb_install_package is changed - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongodb_buster.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_buster.j2 dest: /etc/logrotate.d/mongodb force: yes backup: no -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" - name: Munin plugins are present - copy: + ansible.builtin.copy: src: "munin/{{ item }}" dest: '/usr/local/share/munin/plugins/{{ item }}' force: yes @@ -100,7 +100,7 @@ notify: restart munin-node - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/local/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml index bc239393..61d57f85 100644 --- a/mongodb/tasks/main_jessie.yml +++ b/mongodb/tasks/main_jessie.yml @@ -1,19 +1,19 @@ --- - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring - name: MongoDB embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent when: _trusted_gpg_keyring.stat.exists - name: Add MongoDB GPG key - copy: + ansible.builtin.copy: src: "server-{{ mongodb_version }}.asc" dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{ mongodb_version }}.asc" force: yes @@ -22,39 +22,39 @@ group: root - name: Enable APT sources list - apt_repository: + ansible.builtin.apt_repository: repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Disable APT sources list - apt_repository: + ansible.builtin.apt_repository: repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main" state: absent filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Install packages - apt: + ansible.builtin.apt: name: mongodb-org allow_unauthenticated: yes state: present - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongod_jessie.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_jessie.j2 dest: /etc/logrotate.d/mongodb force: yes diff --git a/mongodb/tasks/main_stretch.yml b/mongodb/tasks/main_stretch.yml index fe44e259..0dc33fcf 100644 --- a/mongodb/tasks/main_stretch.yml +++ b/mongodb/tasks/main_stretch.yml @@ -1,38 +1,39 @@ --- - name: Install packages - apt: + ansible.builtin.apt: name: - mongodb - mongo-tools state: present - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongodb_stretch.conf.j2 dest: "/etc/mongodb.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongodb - name: enable service - service: + ansible.builtin.service: name: mongodb enabled: yes - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_stretch.j2 dest: /etc/logrotate.d/mongodb-server force: yes backup: no - name: disable previous logrotate - command: mv /etc/logrotate.d/mongodb /etc/logrotate.d/mongodb.disabled + ansible.builtin.command: + cmd: mv /etc/logrotate.d/mongodb /etc/logrotate.d/mongodb.disabled args: removes: /etc/logrotate.d/mongodb creates: /etc/logrotate.d/mongodb.disabled diff --git a/monit/handlers/main.yml b/monit/handlers/main.yml index d7900061..51beff76 100644 --- a/monit/handlers/main.yml +++ b/monit/handlers/main.yml @@ -1,11 +1,11 @@ --- - name: reload monit - service: + ansible.builtin.service: name: monit state: reloaded - name: restart monit - service: + ansible.builtin.service: name: monit state: restarted diff --git a/monit/tasks/main.yml b/monit/tasks/main.yml index fcdd0b4c..49e4c99b 100644 --- a/monit/tasks/main.yml +++ b/monit/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: monit is installed - apt: + ansible.builtin.apt: name: monit state: present tags: @@ -9,7 +9,7 @@ - packages - name: custom config is installed - template: + ansible.builtin.template: src: evolinux-defaults.conf.j2 dest: /etc/monit/conf.d/z-evolinux-defaults.conf mode: "0640" diff --git a/munin/handlers/main.yml b/munin/handlers/main.yml index 8654181d..76782bf8 100644 --- a/munin/handlers/main.yml +++ b/munin/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart munin_node - service: + ansible.builtin.service: name: munin_node state: restarted - name: systemd daemon-reload - systemd: + ansible.builtin.systemd: daemon_reload: yes \ No newline at end of file diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index 6d3098dd..53aad7d0 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Ensure that Munin (and useful dependencies) is installed - apt: + ansible.builtin.apt: name: - munin - munin-node @@ -14,19 +14,20 @@ - packages - name: Ensure /usr is still writable - include_role: + ansible.builtin.include_role: name: evolix/remount-usr - block: - name: Replace localdomain in Munin config - replace: + ansible.builtin.replace: dest: /etc/munin/munin.conf regexp: 'localhost.localdomain' replace: '{{ ansible_fqdn }}' notify: restart munin-node - name: Rename the localdomain data dir - shell: "mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename \"s/localhost.localdomain/{{ ansible_fqdn }}/\" /var/lib/munin/{{ ansible_domain }}/*" + ansible.builtin.shell: + cmd: "mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename \"s/localhost.localdomain/{{ ansible_fqdn }}/\" /var/lib/munin/{{ ansible_domain }}/*" args: creates: /var/lib/munin/{{ ansible_domain }} removes: /var/lib/munin/localdomain @@ -36,11 +37,11 @@ tags: - munin -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Install some Munin plugins (disabled) - copy: + ansible.builtin.copy: src: 'plugins/{{ item }}' dest: '/usr/share/munin/plugins/{{ item }}' loop: @@ -49,7 +50,7 @@ - munin - name: Ensure some Munin plugins are disabled - file: + ansible.builtin.file: path: '/etc/munin/plugins/{{ item }}' state: absent loop: @@ -65,7 +66,7 @@ - munin - name: Ensure some Munin plugins are enabled - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link @@ -81,7 +82,7 @@ - munin - name: Enable sensors_ plugin on dedicated hardware - file: + ansible.builtin.file: src: /usr/share/munin/plugins/sensors_ dest: "/etc/munin/plugins/sensors_{{ item }}" state: link @@ -94,7 +95,7 @@ - munin - name: Enable ipmi_ plugin on dedicated hardware - file: + ansible.builtin.file: src: /usr/share/munin/plugins/ipmi_ dest: "/etc/munin/plugins/ipmi_{{ item }}" state: link @@ -107,7 +108,7 @@ - volts - name: adjustments for grsec kernel - blockinfile: + ansible.builtin.blockinfile: dest: /etc/munin/plugin-conf.d/munin-node marker: "# {mark} ANSIBLE MANAGED GRSECURITY CUSTOMIZATIONS" block: | @@ -123,13 +124,13 @@ when: ansible_kernel is search("-grs-") - name: Create override directory for munin-node unit - file: + ansible.builtin.file: name: /etc/systemd/system/munin-node.service.d/ state: directory mode: "0755" - name: Override is present for protected home - ini_file: + community.general.ini_file: dest: "/etc/systemd/system/munin-node.service.d/override.conf" section: "Service" option: "ProtectHome" diff --git a/mysql-oracle/handlers/main.yml b/mysql-oracle/handlers/main.yml index c89d562a..eef49ef5 100644 --- a/mysql-oracle/handlers/main.yml +++ b/mysql-oracle/handlers/main.yml @@ -1,28 +1,29 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart mysql - service: + ansible.builtin.service: name: mysql state: restarted - name: restart mysql (noop) - meta: noop + ansible.builtin.meta: noop failed_when: False changed_when: False - name: reload systemd - systemd: + ansible.builtin.systemd: name: mysql daemon_reload: yes - name: Restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart diff --git a/mysql-oracle/tasks/config.yml b/mysql-oracle/tasks/config.yml index 16590a59..ff42ed20 100644 --- a/mysql-oracle/tasks/config.yml +++ b/mysql-oracle/tasks/config.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_config_directory: "/etc/mysql/mysql.conf.d" - name: "Copy MySQL defaults config file" - copy: + ansible.builtin.copy: src: evolinux-defaults.cnf dest: "{{ mysql_config_directory }}/z-evolinux-defaults.cnf" owner: root @@ -15,7 +15,7 @@ - mysql - name: "Copy MySQL custom config file" - template: + ansible.builtin.template: src: evolinux-custom.cnf.j2 dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf" owner: root diff --git a/mysql-oracle/tasks/datadir.yml b/mysql-oracle/tasks/datadir.yml index c375f5d5..d28d6440 100644 --- a/mysql-oracle/tasks/datadir.yml +++ b/mysql-oracle/tasks/datadir.yml @@ -2,13 +2,14 @@ - block: - name: "Is {{ mysql_custom_datadir }} present ?" - stat: + ansible.builtin.stat: path: "{{ mysql_custom_datadir }}" check_mode: no register: mysql_custom_datadir_test - name: "read the real datadir" - command: readlink -f /var/lib/mysql + ansible.builtin.command: + cmd: readlink -f /var/lib/mysql changed_when: False check_mode: no register: mysql_current_real_datadir_test @@ -18,23 +19,24 @@ - block: - name: MySQL is stopped - service: + ansible.builtin.service: name: mysql state: stopped - name: Move MySQL datadir to {{ mysql_custom_datadir }} - command: mv {{ mysql_current_real_datadir_test.stdout }} {{ mysql_custom_datadir }} + ansible.builtin.command: + cmd: mv {{ mysql_current_real_datadir_test.stdout }} {{ mysql_custom_datadir }} args: creates: "{{ mysql_custom_datadir }}" - name: Symlink {{ mysql_custom_datadir }} to /var/lib/mysql - file: + ansible.builtin.file: src: "{{ mysql_custom_datadir }}" dest: '/var/lib/mysql' state: link - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: diff --git a/mysql-oracle/tasks/log2mail.yml b/mysql-oracle/tasks/log2mail.yml index 568b6649..4eee01c8 100644 --- a/mysql-oracle/tasks/log2mail.yml +++ b/mysql-oracle/tasks/log2mail.yml @@ -1,7 +1,7 @@ --- - name: Is log2mail present ? - stat: + ansible.builtin.stat: path: /etc/log2mail/config check_mode: no register: log2mail_config_dir @@ -10,7 +10,7 @@ - log2mail - name: Copy log2mail config - template: + ansible.builtin.template: src: log2mail.j2 dest: /etc/log2mail/config/mysql.conf owner: log2mail diff --git a/mysql-oracle/tasks/main.yml b/mysql-oracle/tasks/main.yml index 2e2f09bf..1e928681 100644 --- a/mysql-oracle/tasks/main.yml +++ b/mysql-oracle/tasks/main.yml @@ -1,22 +1,22 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: users.yml +- ansible.builtin.include: users.yml -- include: config.yml +- ansible.builtin.include: config.yml -- include: datadir.yml +- ansible.builtin.include: datadir.yml -- include: tmpdir.yml +- ansible.builtin.include: tmpdir.yml -- include: nrpe.yml +- ansible.builtin.include: nrpe.yml -- include: munin.yml +- ansible.builtin.include: munin.yml -- include: log2mail.yml +- ansible.builtin.include: log2mail.yml -- include: utils.yml +- ansible.builtin.include: utils.yml diff --git a/mysql-oracle/tasks/munin.yml b/mysql-oracle/tasks/munin.yml index b9e633b0..bed33556 100644 --- a/mysql-oracle/tasks/munin.yml +++ b/mysql-oracle/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -11,14 +11,14 @@ - block: - name: Install perl libraries for Munin - apt: + ansible.builtin.apt: name: - libdbd-mysql-perl - libcache-cache-perl state: present - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link @@ -30,7 +30,7 @@ notify: restart munin-node - name: Enable contributed Munin plugins - file: + ansible.builtin.file: src: /usr/share/munin/plugins/mysql_ dest: '/etc/munin/plugins/mysql_{{ item }}' state: link diff --git a/mysql-oracle/tasks/nrpe.yml b/mysql-oracle/tasks/nrpe.yml index c3457699..cce8e4b7 100644 --- a/mysql-oracle/tasks/nrpe.yml +++ b/mysql-oracle/tasks/nrpe.yml @@ -1,7 +1,7 @@ --- - name: is NRPE present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg check_mode: no register: nrpe_evolix_config @@ -10,7 +10,7 @@ - nrpe - name: NRPE user exists for MySQL ? - stat: + ansible.builtin.stat: path: ~nagios/.my.cnf check_mode: no register: nrpe_my_cnf @@ -20,13 +20,14 @@ - block: - name: Create a password for NRPE - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_nrpe_password check_mode: no changed_when: False - name: Create nrpe user - mysql_user: + community.mysql.mysql_user: name: nrpe password: '{{ mysql_nrpe_password.stdout }}' priv: "*.*:REPLICATION CLIENT" @@ -36,7 +37,7 @@ register: create_nrpe_user - name: Store credentials in nagios home - ini_file: + community.general.ini_file: dest: "~nagios/.my.cnf" owner: nagios group: nagios diff --git a/mysql-oracle/tasks/packages.yml b/mysql-oracle/tasks/packages.yml index 5bf8848e..7ceadd89 100644 --- a/mysql-oracle/tasks/packages.yml +++ b/mysql-oracle/tasks/packages.yml @@ -1,43 +1,43 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_apt_config_package: mysql-apt-config_0.8.9-1_all.deb - name: Set default MySQL version to 5.7 - debconf: + ansible.builtin.debconf: name: mysql-apt-config question: mysql-apt-config/enable-repo value: mysql-5.7 vtype: select - name: MySQL APT config package is available - copy: + ansible.builtin.copy: src: "{{ mysql_apt_config_package }}" dest: "/root/{{ mysql_apt_config_package }}" -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: MySQL APT config package is installed - apt: + ansible.builtin.apt: deb: "/root/{{ mysql_apt_config_package }}" state: present register: mysql_apt_config_deb - name: Open firewall for MySQL.com repository - replace: + ansible.builtin.replace: name: /etc/default/minifirewall regexp: "^(HTTPSITES='((?!(repo\\.mysql\\.com|0\\.0\\.0\\.0)).)*)'$" replace: "\\1 repo.mysql.com'" notify: Restart minifirewall -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/mysql exists - file: + ansible.builtin.file: dest: /usr/share/mysql/ mode: "0755" owner: root @@ -45,7 +45,7 @@ state: directory - name: mysql-systemd-start scripts is installed - copy: + ansible.builtin.copy: src: debian/mysql-systemd-start dest: /usr/share/mysql/mysql-systemd-start mode: "0755" @@ -54,7 +54,7 @@ force: yes - name: systemd unit is installed - copy: + ansible.builtin.copy: src: debian/mysql-server-5.7.mysql.service dest: /etc/systemd/system/mysql.service mode: "0644" @@ -64,12 +64,12 @@ register: mysql_systemd_unit - name: APT cache is up-to-date - apt: + ansible.builtin.apt: update_cache: yes when: mysql_apt_config_deb is changed - name: Install MySQL packages - apt: + ansible.builtin.apt: name: - mysql-server - mysql-client @@ -80,7 +80,7 @@ - packages - name: Install MySQL dev packages - apt: + ansible.builtin.apt: name: libmysqlclient20 update_cache: yes state: present @@ -90,7 +90,7 @@ when: mysql_install_libclient | bool - name: MySQL is started - systemd: + ansible.builtin.systemd: name: mysql daemon_reload: yes state: started @@ -99,7 +99,7 @@ - services - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present tags: diff --git a/mysql-oracle/tasks/tmpdir.yml b/mysql-oracle/tasks/tmpdir.yml index 790a9f2e..d293ea82 100644 --- a/mysql-oracle/tasks/tmpdir.yml +++ b/mysql-oracle/tasks/tmpdir.yml @@ -2,7 +2,7 @@ - block: - name: "Create {{ mysql_custom_tmpdir }}" - file: + ansible.builtin.file: path: "{{ mysql_custom_tmpdir }}" owner: mysql group: mysql @@ -12,7 +12,7 @@ - mysql - name: Configure tmpdir - ini_file: + community.general.ini_file: dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf" section: mysqld option: tmpdir diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml index d0c444e5..62923f27 100644 --- a/mysql-oracle/tasks/users.yml +++ b/mysql-oracle/tasks/users.yml @@ -1,7 +1,7 @@ --- - name: Python2 dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: - python-mysqldb - python-pymysql @@ -11,7 +11,7 @@ when: ansible_python_version is version('3', '<') - name: Python3 dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: - python3-mysqldb - python3-pymysql @@ -21,14 +21,15 @@ when: ansible_python_version is version('3', '>=') - name: create a password for mysqladmin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False tags: - mysql - name: there is a mysqladmin user - mysql_user: + community.mysql.mysql_user: name: mysqladmin password: '{{ mysql_admin_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -41,7 +42,7 @@ - mysql - name: mysqladmin is the default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client @@ -57,14 +58,15 @@ - name: create a password for debian-sys-maint - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_debian_password changed_when: False tags: - mysql - name: there is a debian-sys-maint user - mysql_user: + community.mysql.mysql_user: name: debian-sys-maint password: '{{ mysql_debian_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -76,7 +78,7 @@ - mysql - name: store debian-sys-maint user credentials - ini_file: + community.general.ini_file: dest: /etc/mysql/debian.cnf mode: "0600" section: "{{ item[0] }}" @@ -94,7 +96,7 @@ - mysql - name: remove root user - mysql_user: + community.mysql.mysql_user: name: root host_all: yes config_file: "/root/.my.cnf" diff --git a/mysql-oracle/tasks/utils.yml b/mysql-oracle/tasks/utils.yml index 82b0ddbe..cbcc9e37 100644 --- a/mysql-oracle/tasks/utils.yml +++ b/mysql-oracle/tasks/utils.yml @@ -1,14 +1,14 @@ --- -- set_fact: +- ansible.builtin.set_fact: _mysql_scripts_dir: "{{ mysql_scripts_dir | default(general_scripts_dir, True) | mandatory }}" -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Scripts directory exists - file: + ansible.builtin.file: dest: "{{ _mysql_scripts_dir }}" mode: "0700" state: directory @@ -18,7 +18,7 @@ # mytop - name: "mytop is installed (Debian 9)" - apt: + ansible.builtin.apt: name: mytop state: present tags: @@ -33,7 +33,7 @@ # when: ansible_distribution_major_version is version('9', '>=') - name: "mytop dependencies are installed (Buster)" - apt: + ansible.builtin.apt: name: - libconfig-inifiles-perl - libdbd-mysql-perl @@ -47,7 +47,7 @@ when: ansible_distribution_release == "stretch" - name: "Install dependencies for mytop (Debian 10)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.3 - libconfig-inifiles-perl @@ -55,21 +55,21 @@ when: ansible_distribution_release == "buster" - name: "Install dependencies for mytop (Debian 11 or later)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.5 - libconfig-inifiles-perl - libterm-readkey-perl when: ansible_distribution_major_version is version('11', '>=') -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - mytop - mysql - name: "mytop is installed (Debian 9 or later)" - copy: + ansible.builtin.copy: src: mytop dest: /usr/local/bin/mytop mode: "0755" @@ -82,7 +82,8 @@ when: ansible_distribution_major_version is version('9', '>=') - name: Read debian-sys-maint password - shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' + ansible.builtin.shell: + cmd: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' register: mysql_debian_password changed_when: False check_mode: no @@ -91,7 +92,7 @@ - mysql - name: mytop configuration is copied - template: + ansible.builtin.template: src: mytop-config.j2 dest: /root/.mytop mode: "0600" @@ -102,7 +103,7 @@ # mysqltuner -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - mysql @@ -113,7 +114,7 @@ # src: mysqltuner.pl # dest: "{{ _mysql_scripts_dir }}/mysqltuner.pl" # mode: "0700" - apt: + ansible.builtin.apt: name: mysqltuner state: present tags: @@ -121,21 +122,21 @@ - mysqltuner - name: aha is installed - apt: + ansible.builtin.apt: name: aha tags: - mysql # automatic optimizations -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - mysql when: _mysql_scripts_dir is search("/usr") - name: mysql-optimize.sh is installed - copy: + ansible.builtin.copy: src: mysql-optimize.sh dest: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" mode: "0700" @@ -143,7 +144,7 @@ - mysql - name: "Cron dir for optimize is present" - file: + ansible.builtin.file: path: "/etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}" state: directory mode: "0755" @@ -153,7 +154,7 @@ - mysql - name: "Enable cron to optimize MySQL" - file: + ansible.builtin.file: src: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link @@ -162,7 +163,7 @@ - mysql - name: "Disable cron to optimize MySQL" - file: + ansible.builtin.file: dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: absent when: not (mysql_cron_optimize | bool) @@ -170,7 +171,7 @@ - mysql - name: "Cron dir for mysqltuner is present" - file: + ansible.builtin.file: path: "/etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}" state: directory mode: "0755" @@ -181,7 +182,7 @@ - mysqltuner - name: "Enable mysqltuner in cron" - copy: + ansible.builtin.copy: src: mysqltuner.cron.sh dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh mode: "0755" @@ -191,7 +192,7 @@ - mysqltuner - name: "Disable mysqltuner in cron" - file: + ansible.builtin.file: dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh state: absent when: not (mysql_cron_mysqltuner | bool) @@ -201,12 +202,12 @@ # my-add.sh -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Install my-add.sh - copy: + ansible.builtin.copy: src: my-add.sh dest: "{{ _mysql_scripts_dir }}/my-add.sh" mode: "0700" diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 80afafe5..01ffeccd 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -1,25 +1,25 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart mysql - service: + ansible.builtin.service: name: mysql state: restarted - name: restart mysql (noop) - meta: noop + ansible.builtin.meta: noop failed_when: False changed_when: False - name: reload systemd - systemd: + ansible.builtin.systemd: name: mysql daemon_reload: yes - name: 'restart xinetd' - service: + ansible.builtin.service: name: 'xinetd' state: 'restarted' diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index a5dd4d77..174fc56a 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_config_directory: /etc/mysql/conf.d - name: "Copy MySQL defaults config file (jessie)" - copy: + ansible.builtin.copy: src: evolinux-defaults.cnf dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_defaults_file }}" owner: root @@ -15,7 +15,7 @@ - mysql - name: "Copy MySQL custom config file (jessie)" - template: + ansible.builtin.template: src: evolinux-custom.cnf.j2 dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_custom_file }}" owner: root diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index cfbeedfe..dcf4e9e7 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_config_directory: /etc/mysql/mariadb.conf.d - name: "Copy MySQL defaults config file (Debian 9 or later)" - copy: + ansible.builtin.copy: src: evolinux-defaults.cnf dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_defaults_file }}" owner: root @@ -15,7 +15,7 @@ - mysql - name: "Copy MySQL custom config file (Debian 9 or later)" - template: + ansible.builtin.template: src: evolinux-custom.cnf.j2 dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_custom_file }}" owner: root @@ -26,19 +26,19 @@ - mysql - name: "Create a system config directory for systemd overrides (Debian 9 or later)" - file: + ansible.builtin.file: path: /etc/systemd/system/mariadb.service.d state: directory - name: "Override MariaDB systemd unit (Debian 9 or later)" - template: + ansible.builtin.template: src: mariadb.systemd.j2 dest: /etc/systemd/system/mariadb.service.d/evolinux.conf force: yes register: mariadb_systemd_override - name: reload systemd and restart MariaDB - systemd: + ansible.builtin.systemd: name: mysql daemon_reload: yes notify: "{{ mysql_restart_handler_name }}" diff --git a/mysql/tasks/datadir.yml b/mysql/tasks/datadir.yml index c375f5d5..d28d6440 100644 --- a/mysql/tasks/datadir.yml +++ b/mysql/tasks/datadir.yml @@ -2,13 +2,14 @@ - block: - name: "Is {{ mysql_custom_datadir }} present ?" - stat: + ansible.builtin.stat: path: "{{ mysql_custom_datadir }}" check_mode: no register: mysql_custom_datadir_test - name: "read the real datadir" - command: readlink -f /var/lib/mysql + ansible.builtin.command: + cmd: readlink -f /var/lib/mysql changed_when: False check_mode: no register: mysql_current_real_datadir_test @@ -18,23 +19,24 @@ - block: - name: MySQL is stopped - service: + ansible.builtin.service: name: mysql state: stopped - name: Move MySQL datadir to {{ mysql_custom_datadir }} - command: mv {{ mysql_current_real_datadir_test.stdout }} {{ mysql_custom_datadir }} + ansible.builtin.command: + cmd: mv {{ mysql_current_real_datadir_test.stdout }} {{ mysql_custom_datadir }} args: creates: "{{ mysql_custom_datadir }}" - name: Symlink {{ mysql_custom_datadir }} to /var/lib/mysql - file: + ansible.builtin.file: src: "{{ mysql_custom_datadir }}" dest: '/var/lib/mysql' state: link - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: diff --git a/mysql/tasks/log2mail.yml b/mysql/tasks/log2mail.yml index 568b6649..4eee01c8 100644 --- a/mysql/tasks/log2mail.yml +++ b/mysql/tasks/log2mail.yml @@ -1,7 +1,7 @@ --- - name: Is log2mail present ? - stat: + ansible.builtin.stat: path: /etc/log2mail/config check_mode: no register: log2mail_config_dir @@ -10,7 +10,7 @@ - log2mail - name: Copy log2mail config - template: + ansible.builtin.template: src: log2mail.j2 dest: /etc/log2mail/config/mysql.conf owner: log2mail diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml index bd6ecab2..10d2f70e 100644 --- a/mysql/tasks/logdir.yml +++ b/mysql/tasks/logdir.yml @@ -2,13 +2,14 @@ - block: - name: "Is {{ mysql_custom_logdir }} present ?" - stat: + ansible.builtin.stat: path: "{{ mysql_custom_logdir }}" check_mode: no register: mysql_custom_logdir_test - name: "read the real logdir" - command: readlink -f /var/log/mysql + ansible.builtin.command: + cmd: readlink -f /var/log/mysql changed_when: False check_mode: no register: mysql_current_real_logdir_test @@ -18,23 +19,24 @@ - block: - name: MySQL is stopped - service: + ansible.builtin.service: name: mysql state: stopped - name: Move MySQL logdir to {{ mysql_custom_logdir }} - command: mv {{ mysql_current_real_logdir_test.stdout }} {{ mysql_custom_logdir }} + ansible.builtin.command: + cmd: mv {{ mysql_current_real_logdir_test.stdout }} {{ mysql_custom_logdir }} args: creates: "{{ mysql_custom_logdir }}" - name: Symlink {{ mysql_custom_logdir }} to /var/log/mysql - file: + ansible.builtin.file: src: "{{ mysql_custom_logdir }}" dest: '/var/log/mysql' state: link - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index 2a24c69f..cc32bff4 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -1,11 +1,11 @@ --- - name: Set if MySQL should be restart (if needed) or not at all - set_fact: + ansible.builtin.set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" - name: Default log directory is present - file: + ansible.builtin.file: path: /var/log/mysql owner: mysql group: adm @@ -13,46 +13,46 @@ state: directory when: ansible_distribution_major_version is version('12', '>=') -- include_tasks: packages_stretch.yml +- ansible.builtin.include_tasks: packages_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include_tasks: packages_jessie.yml +- ansible.builtin.include_tasks: packages_jessie.yml when: ansible_distribution_release == "jessie" ## There is nothing to do with users on Debian 11+ - yet we need a /root/.my.cnf for compatibility -- include_tasks: users_bullseye.yml +- ansible.builtin.include_tasks: users_bullseye.yml when: ansible_distribution_major_version is version('11', '>=') -- include_tasks: users_buster.yml +- ansible.builtin.include_tasks: users_buster.yml when: ansible_distribution_release == "buster" -- include_tasks: users_stretch.yml +- ansible.builtin.include_tasks: users_stretch.yml when: ansible_distribution_release == "stretch" -- include_tasks: users_jessie.yml +- ansible.builtin.include_tasks: users_jessie.yml when: ansible_distribution_release == "jessie" -- include_tasks: config_stretch.yml +- ansible.builtin.include_tasks: config_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include_tasks: config_jessie.yml +- ansible.builtin.include_tasks: config_jessie.yml when: ansible_distribution_release == "jessie" -- include_tasks: replication.yml +- ansible.builtin.include_tasks: replication.yml when: mysql_replication | bool -- include_tasks: datadir.yml +- ansible.builtin.include_tasks: datadir.yml -- include_tasks: logdir.yml +- ansible.builtin.include_tasks: logdir.yml -- include_tasks: tmpdir.yml +- ansible.builtin.include_tasks: tmpdir.yml -- include_tasks: nrpe.yml +- ansible.builtin.include_tasks: nrpe.yml -- include_tasks: munin.yml +- ansible.builtin.include_tasks: munin.yml -- include_tasks: log2mail.yml +- ansible.builtin.include_tasks: log2mail.yml -- include_tasks: utils.yml +- ansible.builtin.include_tasks: utils.yml -- include_tasks: mysql_skip.yml +- ansible.builtin.include_tasks: mysql_skip.yml diff --git a/mysql/tasks/munin.yml b/mysql/tasks/munin.yml index 7d67065f..9b4e9617 100644 --- a/mysql/tasks/munin.yml +++ b/mysql/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -11,7 +11,7 @@ - block: - name: "Install perl libraries for Munin (Debian < 11)" - apt: + ansible.builtin.apt: name: - libdbd-mysql-perl - libcache-cache-perl @@ -19,14 +19,14 @@ when: ansible_distribution_major_version is version('11', '<') - name: "Install perl libraries for Munin (Debian >= 11)" - apt: + ansible.builtin.apt: name: - libcache-cache-perl - libdbd-mariadb-perl when: ansible_distribution_major_version is version('11', '>=') - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link @@ -38,7 +38,7 @@ notify: restart munin-node - name: Enable contributed Munin plugins - file: + ansible.builtin.file: src: /usr/share/munin/plugins/mysql_ dest: '/etc/munin/plugins/mysql_{{ item }}' state: link @@ -67,7 +67,7 @@ notify: restart munin-node - name: verify Munin configuration for mysql < Debian 11 - replace: + ansible.builtin.replace: dest: /etc/munin/plugin-conf.d/munin-node after: '\[mysql\*\]' regexp: '^env.mysqluser (.+)$' @@ -76,7 +76,7 @@ when: ansible_distribution_major_version is version_compare('11', '<') - name: set Munin env.mysqluser option for mysql >= Debian 11 - replace: + ansible.builtin.replace: dest: /etc/munin/plugin-conf.d/munin-node after: '\[mysql\*\]' regexp: '^env.mysqluser (.+)$' @@ -85,7 +85,7 @@ when: ansible_distribution_major_version is version_compare('11', '>=') - name: set Munin env.mysqlopts option for mysql >= Debian 11 - replace: + ansible.builtin.replace: dest: /etc/munin/plugin-conf.d/munin-node after: '\[mysql\*\]' regexp: '^env.mysqlopts (.+)$' @@ -94,7 +94,7 @@ when: ansible_distribution_major_version is version_compare('11', '>=') - name: set Munin env.mysqlconnection option for mysql >= Debian 11 - replace: + ansible.builtin.replace: dest: /etc/munin/plugin-conf.d/munin-node after: '\[mysql\*\]' regexp: '^env.mysqlconnection (.+)$' diff --git a/mysql/tasks/mysql_skip.yml b/mysql/tasks/mysql_skip.yml index 65d1c13f..2455641a 100644 --- a/mysql/tasks/mysql_skip.yml +++ b/mysql/tasks/mysql_skip.yml @@ -1,7 +1,7 @@ --- - name: "Copy script mysql_skip.sh into /usr/local/bin/" - copy: + ansible.builtin.copy: src: mysql_skip.sh dest: "/usr/local/bin/mysql_skip.sh" owner: root @@ -12,7 +12,7 @@ - mysql_skip - name: "Copy config file for mysql_skip.sh" - template: + ansible.builtin.template: src: mysql_skip.conf.j2 dest: "/etc/mysql_skip.conf" owner: root @@ -22,7 +22,7 @@ - mysql_skip - name: "Create log file for mysql_skip.sh" - file: + ansible.builtin.file: path: "/var/log/mysql_skip.log" state: touch owner: root @@ -32,7 +32,7 @@ - mysql_skip - name: "Copy logrotate file for mysql_skip.sh" - template: + ansible.builtin.template: src: mysql_skip.logrotate.j2 dest: "/etc/logrotate.d/mysql_skip" owner: root @@ -42,13 +42,13 @@ - mysql_skip - name: "Copy mysql_skip.sh systemd unit" - template: + ansible.builtin.template: src: mysql_skip.systemd.j2 dest: /etc/systemd/system/mysql_skip.service force: yes - name: "Start or stop systemd unit" - systemd: + ansible.builtin.systemd: name: mysql_skip daemon_reload: yes state: "{{ mysql_skip_enabled | bool | ternary('started', 'stopped') }}" \ No newline at end of file diff --git a/mysql/tasks/nrpe.yml b/mysql/tasks/nrpe.yml index c3457699..cce8e4b7 100644 --- a/mysql/tasks/nrpe.yml +++ b/mysql/tasks/nrpe.yml @@ -1,7 +1,7 @@ --- - name: is NRPE present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg check_mode: no register: nrpe_evolix_config @@ -10,7 +10,7 @@ - nrpe - name: NRPE user exists for MySQL ? - stat: + ansible.builtin.stat: path: ~nagios/.my.cnf check_mode: no register: nrpe_my_cnf @@ -20,13 +20,14 @@ - block: - name: Create a password for NRPE - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_nrpe_password check_mode: no changed_when: False - name: Create nrpe user - mysql_user: + community.mysql.mysql_user: name: nrpe password: '{{ mysql_nrpe_password.stdout }}' priv: "*.*:REPLICATION CLIENT" @@ -36,7 +37,7 @@ register: create_nrpe_user - name: Store credentials in nagios home - ini_file: + community.general.ini_file: dest: "~nagios/.my.cnf" owner: nagios group: nagios diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml index 652eace7..942c1006 100644 --- a/mysql/tasks/packages_jessie.yml +++ b/mysql/tasks/packages_jessie.yml @@ -1,7 +1,7 @@ --- - name: Choose packages (Oracle) - set_fact: + ansible.builtin.set_fact: mysql_packages: "{{ mysql_packages_oracle }}" when: mysql_variant == "oracle" tags: @@ -9,7 +9,7 @@ - packages - name: Choose packages (MariaDB) - set_fact: + ansible.builtin.set_fact: mysql_packages: "{{ mysql_packages_mariadb }}" when: mysql_variant == "mariadb" tags: @@ -17,7 +17,7 @@ - packages - name: Install MySQL packages - apt: + ansible.builtin.apt: name: "{{ mysql_packages }}" update_cache: yes state: present @@ -26,7 +26,7 @@ - packages - name: Install MySQL dev packages - apt: + ansible.builtin.apt: name: libmysqlclient-dev update_cache: yes state: present @@ -36,7 +36,7 @@ when: mysql_install_libclient | bool - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: @@ -44,7 +44,7 @@ - services - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present tags: @@ -52,7 +52,7 @@ - packages - name: Python dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: python-mysqldb state: present tags: diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 880f5050..8853a13c 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -1,7 +1,7 @@ --- - name: Install MySQL packages - apt: + ansible.builtin.apt: name: - mariadb-server - mariadb-client @@ -12,7 +12,7 @@ - packages - name: Install MySQL dev packages - apt: + ansible.builtin.apt: name: default-libmysqlclient-dev update_cache: yes state: present @@ -22,7 +22,7 @@ when: mysql_install_libclient | bool - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: @@ -30,7 +30,7 @@ - services - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present tags: @@ -38,7 +38,7 @@ - packages - name: Python2 dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: - python-mysqldb - python-pymysql @@ -49,7 +49,7 @@ when: ansible_python_version is version('3', '<') - name: Python3 dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: - python3-mysqldb - python3-pymysql diff --git a/mysql/tasks/replication.yml b/mysql/tasks/replication.yml index f447d099..4ca491da 100644 --- a/mysql/tasks/replication.yml +++ b/mysql/tasks/replication.yml @@ -1,14 +1,14 @@ --- - name: 'Copy MySQL configuration for replication' - template: + ansible.builtin.template: src: 'replication.cnf.j2' dest: "{{ mysql_config_directory }}/zzzz-replication.cnf" mode: "0644" notify: 'restart mysql' - name: 'Create repl user' - mysql_user: + community.mysql.mysql_user: name: 'repl' host: '%' encrypted: true @@ -20,22 +20,22 @@ when: mysql_repl_password | length > 0 - name: 'Install xinetd' - apt: + ansible.builtin.apt: name: 'xinetd' - name: 'Add xinetd configuration for MySQL HAProxy check' - copy: + ansible.builtin.copy: src: 'xinetd/mysqlchk' dest: '/etc/xinetd.d/' mode: '0644' notify: 'restart xinetd' # /!\ Warning, this is a temporary hack -- include_role: +- ansible.builtin.include_role: name: remount-usr - name: 'Copy mysqlchk script' - copy: + ansible.builtin.copy: src: 'xinetd/mysqlchk.sh' dest: '/usr/share/scripts/' mode: '0755' diff --git a/mysql/tasks/tmpdir.yml b/mysql/tasks/tmpdir.yml index 79a3ac5e..ecd9e279 100644 --- a/mysql/tasks/tmpdir.yml +++ b/mysql/tasks/tmpdir.yml @@ -2,7 +2,7 @@ - block: - name: "Create {{ mysql_custom_tmpdir }}" - file: + ansible.builtin.file: path: "{{ mysql_custom_tmpdir }}" owner: mysql group: mysql @@ -12,7 +12,7 @@ - mysql - name: Configure tmpdir - ini_file: + community.general.ini_file: dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_custom_file }}" section: mysqld option: tmpdir diff --git a/mysql/tasks/users_bullseye.yml b/mysql/tasks/users_bullseye.yml index 1bdc9084..d2b6c04d 100644 --- a/mysql/tasks/users_bullseye.yml +++ b/mysql/tasks/users_bullseye.yml @@ -1,7 +1,7 @@ --- - name: Populate the .my.cnf of root with default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client diff --git a/mysql/tasks/users_buster.yml b/mysql/tasks/users_buster.yml index dc7cec85..490a7ccc 100644 --- a/mysql/tasks/users_buster.yml +++ b/mysql/tasks/users_buster.yml @@ -1,7 +1,8 @@ --- - name: create a password for mysqladmin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False check_mode: False @@ -9,7 +10,7 @@ - mysql - name: there is a mysqladmin user - mysql_user: + community.mysql.mysql_user: name: mysqladmin password: '{{ mysql_admin_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -21,7 +22,7 @@ - mysql - name: mysqladmin is the default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client @@ -36,7 +37,8 @@ - mysql - name: create a password for debian-sys-maint - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_debian_password changed_when: False check_mode: False @@ -44,7 +46,7 @@ - mysql - name: there is a debian-sys-maint user - mysql_user: + community.mysql.mysql_user: name: debian-sys-maint password: '{{ mysql_debian_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -56,7 +58,7 @@ - mysql - name: store debian-sys-maint user credentials - ini_file: + community.general.ini_file: dest: /etc/mysql/debian.cnf mode: "0600" section: "{{ item[0] }}" @@ -74,7 +76,7 @@ - mysql - name: root user is absent - mysql_user: + community.mysql.mysql_user: name: root host_all: yes config_file: "/root/.my.cnf" diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml index e2b066b1..1bde42c9 100644 --- a/mysql/tasks/users_jessie.yml +++ b/mysql/tasks/users_jessie.yml @@ -1,12 +1,13 @@ --- - name: "Abort if MariaDB on Debian 8" - fail: + ansible.builtin.fail: msg: "We can't create other users with 'debian-sys-maint' on Debian 8 with MariaDB.\nWe must give it the GRANT privilege before continuing." when: mysql_variant == "mariadb" - name: create a password for mysqladmin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False check_mode: no @@ -14,7 +15,7 @@ - mysql - name: there is a mysqladmin user - mysql_user: + community.mysql.mysql_user: name: mysqladmin password: '{{ mysql_admin_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -26,7 +27,7 @@ - mysql - name: mysqladmin is the default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client @@ -41,7 +42,7 @@ - mysql - name: root user is absent - mysql_user: + community.mysql.mysql_user: name: root host_all: yes config_file: "/root/.my.cnf" diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml index dc7cec85..490a7ccc 100644 --- a/mysql/tasks/users_stretch.yml +++ b/mysql/tasks/users_stretch.yml @@ -1,7 +1,8 @@ --- - name: create a password for mysqladmin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False check_mode: False @@ -9,7 +10,7 @@ - mysql - name: there is a mysqladmin user - mysql_user: + community.mysql.mysql_user: name: mysqladmin password: '{{ mysql_admin_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -21,7 +22,7 @@ - mysql - name: mysqladmin is the default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client @@ -36,7 +37,8 @@ - mysql - name: create a password for debian-sys-maint - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_debian_password changed_when: False check_mode: False @@ -44,7 +46,7 @@ - mysql - name: there is a debian-sys-maint user - mysql_user: + community.mysql.mysql_user: name: debian-sys-maint password: '{{ mysql_debian_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -56,7 +58,7 @@ - mysql - name: store debian-sys-maint user credentials - ini_file: + community.general.ini_file: dest: /etc/mysql/debian.cnf mode: "0600" section: "{{ item[0] }}" @@ -74,7 +76,7 @@ - mysql - name: root user is absent - mysql_user: + community.mysql.mysql_user: name: root host_all: yes config_file: "/root/.my.cnf" diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 306ccd00..f8005ee2 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -1,14 +1,14 @@ --- -- set_fact: +- ansible.builtin.set_fact: _mysql_scripts_dir: "{{ mysql_scripts_dir | default(general_scripts_dir, True) | mandatory }}" -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Ensure scripts directory exists - file: + ansible.builtin.file: dest: "{{ _mysql_scripts_dir }}" mode: "0700" state: directory @@ -18,7 +18,7 @@ # mytop - name: "Install mytop (Debian 8)" - apt: + ansible.builtin.apt: name: mytop state: present tags: @@ -28,7 +28,7 @@ when: ansible_distribution_release == "jessie" - name: "Install dependencies for mytop (Debian 9)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.1 - libconfig-inifiles-perl @@ -36,7 +36,7 @@ when: ansible_distribution_release == "stretch" - name: "Install dependencies for mytop (Debian 10)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.3 - libconfig-inifiles-perl @@ -44,7 +44,7 @@ when: ansible_distribution_release == "buster" - name: "Install dependencies for mytop (Debian 11)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.5 - libconfig-inifiles-perl @@ -53,7 +53,7 @@ when: ansible_distribution_release == "bullseye" - name: "Install dependencies for mytop (Debian 12 or later)" - apt: + ansible.builtin.apt: name: - mariadb-client - libconfig-inifiles-perl @@ -62,7 +62,8 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Read debian-sys-maint password (Debian < 11) - shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' + ansible.builtin.shell: + cmd: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' register: mysql_debian_password changed_when: False check_mode: no @@ -71,7 +72,7 @@ when: ansible_distribution_major_version is version('11', '<') - name: Configure mytop (Debian < 11) - template: + ansible.builtin.template: src: mytop.j2 dest: /root/.mytop mode: "0600" @@ -82,7 +83,7 @@ when: ansible_distribution_major_version is version('11', '<') - name: Configure mytop (Debian >= 11) - template: + ansible.builtin.template: src: mytop.bullseye.j2 dest: /root/.mytop mode: "0600" @@ -94,7 +95,7 @@ # mysqltuner -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") @@ -103,7 +104,7 @@ # src: mysqltuner.pl # dest: "{{ _mysql_scripts_dir }}/mysqltuner.pl" # mode: "0700" - apt: + ansible.builtin.apt: name: mysqltuner state: present tags: @@ -111,7 +112,7 @@ - mysqltuner - name: Install aha - apt: + ansible.builtin.apt: name: aha tags: - mysql @@ -119,7 +120,7 @@ # Percona Toolkit - name: "Install percona-toolkit (Debian 9 or later)" - apt: + ansible.builtin.apt: name: percona-toolkit state: present tags: @@ -130,12 +131,12 @@ # automatic optimizations -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Optimize script for MySQL - copy: + ansible.builtin.copy: src: mysql-optimize.sh dest: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" mode: "0700" @@ -143,7 +144,7 @@ - mysql - name: "Cron dir for optimize is present" - file: + ansible.builtin.file: path: "/etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}" state: directory mode: "0755" @@ -151,7 +152,7 @@ group: root - name: "Enable cron to optimize MySQL" - file: + ansible.builtin.file: src: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link @@ -160,7 +161,7 @@ - mysql - name: "Disable cron to optimize MySQL" - file: + ansible.builtin.file: dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: absent when: not (mysql_cron_optimize | bool) @@ -168,7 +169,7 @@ - mysql - name: "Cron dir for mysqltuner is present" - file: + ansible.builtin.file: path: "/etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}" state: directory mode: "0755" @@ -176,7 +177,7 @@ group: root - name: "Enable mysqltuner in cron" - copy: + ansible.builtin.copy: src: mysqltuner.cron.sh dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh mode: "0755" @@ -185,7 +186,7 @@ - mysql - name: "Disable mysqltuner in cron" - file: + ansible.builtin.file: dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh state: absent when: not (mysql_cron_mysqltuner | bool) @@ -194,12 +195,12 @@ # my-add.sh -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Install my-add.sh - copy: + ansible.builtin.copy: src: my-add.sh dest: "{{ _mysql_scripts_dir }}/my-add.sh" mode: "0700" @@ -208,14 +209,14 @@ - mysql - name: Install apg - apt: + ansible.builtin.apt: name: apg tags: - mysql - packages - name: "Install save_mysql_processlist.sh" - copy: + ansible.builtin.copy: src: save_mysql_processlist.sh dest: "{{ _mysql_scripts_dir }}/save_mysql_processlist.sh" mode: "0755" @@ -224,7 +225,7 @@ - mysql - name: "Install mysql_connections" - copy: + ansible.builtin.copy: src: mysql_connections.sh dest: "{{ _mysql_scripts_dir }}/mysql_connections" mode: "0755" @@ -233,7 +234,7 @@ - mysql - name: "Install mysql-queries-killer.sh" - copy: + ansible.builtin.copy: src: mysql-queries-killer.sh dest: "{{ _mysql_scripts_dir }}/mysql-queries-killer.sh" mode: "0755" @@ -242,7 +243,7 @@ - mysql - name: "Install evomariabackup" - copy: + ansible.builtin.copy: src: evomariabackup.sh dest: "{{ _mysql_scripts_dir }}/evomariabackup" mode: "0755" diff --git a/nagios-nrpe/handlers/main.yml b/nagios-nrpe/handlers/main.yml index 25ab29ad..b4b24b09 100644 --- a/nagios-nrpe/handlers/main.yml +++ b/nagios-nrpe/handlers/main.yml @@ -1,11 +1,11 @@ --- - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart nrpe - service: + ansible.builtin.service: name: nrpe state: restarted diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index 5a77c4ee..c05cf85a 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: base nrpe & plugins packages are installed - apt: + ansible.builtin.apt: name: - nagios-nrpe-server - monitoring-plugins @@ -14,7 +14,7 @@ - name: custom plugin dependencies packages are installed - apt: + ansible.builtin.apt: name: - libfcgi-client-perl state: present @@ -25,7 +25,7 @@ - nagios-plugins - name: custom configuration is present - template: + ansible.builtin.template: src: evolix.cfg.j2 dest: /etc/nagios/nrpe.d/evolix.cfg group: nagios @@ -36,7 +36,7 @@ - nagios-nrpe - name: update allowed_hosts lists - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg line: "allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}" regexp: '^allowed_hosts=' @@ -47,7 +47,7 @@ - nagios-nrpe - name: Nagios config is secured - file: + ansible.builtin.file: dest: /etc/nagios/ mode: "0750" group: nagios @@ -56,7 +56,7 @@ tags: - nagios-nrpe -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: nagios_plugins_directory is search("/usr") tags: @@ -64,7 +64,7 @@ - nagios-plugins - name: Nagios plugins are installed - copy: + ansible.builtin.copy: src: plugins/ dest: "{{ nagios_plugins_directory }}/" mode: "0755" @@ -74,7 +74,7 @@ - nagios-plugins - name: Nagios lib is secured - file: + ansible.builtin.file: dest: /usr/local/lib/nagios/ mode: "0755" group: nagios @@ -84,4 +84,4 @@ tags: - nagios-nrpe -- include_tasks: wrapper.yml \ No newline at end of file +- ansible.builtin.include_tasks: wrapper.yml \ No newline at end of file diff --git a/nagios-nrpe/tasks/wrapper.yml b/nagios-nrpe/tasks/wrapper.yml index f49c7509..add493fd 100644 --- a/nagios-nrpe/tasks/wrapper.yml +++ b/nagios-nrpe/tasks/wrapper.yml @@ -2,22 +2,23 @@ - name: "Remount /usr if needed" - include_role: + ansible.builtin.include_role: name: remount-usr - name: check if old script is present - stat: + ansible.builtin.stat: path: /usr/share/scripts/alerts_switch register: old_alerts_switch - name: alerts_switch is at the right place - command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch" + ansible.builtin.command: + cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch" args: creates: /usr/local/bin/alerts_switch when: old_alerts_switch.stat.exists - name: "copy alerts_switch" - copy: + ansible.builtin.copy: src: alerts_switch dest: /usr/local/bin/alerts_switch owner: root @@ -26,14 +27,14 @@ force: yes - name: "symlink for backward compatibility" - file: + ansible.builtin.file: src: /usr/local/bin/alerts_switch dest: /usr/share/scripts/alerts_switch state: link when: old_alerts_switch.stat.exists - name: "copy alerts_wrapper" - copy: + ansible.builtin.copy: src: alerts_wrapper dest: "{{ nagios_plugins_directory }}/alerts_wrapper" owner: root diff --git a/nameserver/tasks/main.yml b/nameserver/tasks/main.yml index 83ba2a34..16b06bbd 100644 --- a/nameserver/tasks/main.yml +++ b/nameserver/tasks/main.yml @@ -1,6 +1,7 @@ --- - name: Get actual nameserver - shell: grep nameserver /etc/resolv.conf | awk '{ print $2 }' + ansible.builtin.shell: + cmd: grep nameserver /etc/resolv.conf | awk '{ print $2 }' register: grep_nameserver check_mode: no changed_when: False @@ -8,7 +9,7 @@ - nameserver - name: Set nameserver - lineinfile: + ansible.builtin.lineinfile: dest: /etc/resolv.conf line: "nameserver {{ item }}" state: present @@ -17,7 +18,7 @@ - nameserver - name: Unset others nameserver - lineinfile: + ansible.builtin.lineinfile: dest: /etc/resolv.conf line: "nameserver {{ item }}" state: absent diff --git a/networkd-to-ifconfig/tasks/main.yml b/networkd-to-ifconfig/tasks/main.yml index d1ac0ac4..ff192645 100644 --- a/networkd-to-ifconfig/tasks/main.yml +++ b/networkd-to-ifconfig/tasks/main.yml @@ -1,11 +1,11 @@ --- - name: Check state of /etc/network/interfaces - stat: + ansible.builtin.stat: path: /etc/network/interfaces register: interfaces_file -- debug: +- ansible.builtin.debug: msg: A /etc/network/interfaces file already exists, nothing is done. when: - interfaces_file.stat.exists @@ -13,29 +13,29 @@ - block: - name: "Look for systemd network config" - stat: + ansible.builtin.stat: path: /etc/systemd/network/50-default.network register: systemd_network_file - name: Set interface name - set_fact: + ansible.builtin.set_fact: eni_interface_name: "{{ ansible_default_ipv4.interface }}" - - include: set_facts_from_systemd.yml + - ansible.builtin.include: set_facts_from_systemd.yml when: systemd_network_file.stat.exists - - include: set_facts_from_ansible.yml + - ansible.builtin.include: set_facts_from_ansible.yml when: not systemd_network_file.stat.exists - name: Check config (IPv4) - assert: + ansible.builtin.assert: that: - eni_ipv4_address | ipv4 - eni_ipv4_gateway | ipv4 msg: "IPv4 configuration is invalid" - name: Check config (IPV6) - assert: + ansible.builtin.assert: that: - eni_ipv6_address | ipv6 - eni_ipv6_gateway | ipv6 @@ -43,7 +43,7 @@ when: (eni_ipv6_address | length > 0) or (eni_ipv6_gateway | length > 0) - name: "A new /etc/network/interfaces is generated" - template: + ansible.builtin.template: src: interfaces.j2 dest: /etc/network/interfaces mode: "0644" @@ -51,18 +51,18 @@ group: root - name: "Systemd 'networkd' unit is stopped and disabled" - systemd: + ansible.builtin.systemd: name: systemd-networkd.service enabled: False state: stopped - name: "Systemd 'networking' unit is restarted (it often results in error)" - systemd: + ansible.builtin.systemd: name: networking enabled: True state: restarted ignore_errors: True - - debug: + - ansible.builtin.debug: msg: You should verify your configuration, then reboot the server. when: (force_update_eni_file | bool) or (not interfaces_file.stat.exists) diff --git a/networkd-to-ifconfig/tasks/set_facts_from_ansible.yml b/networkd-to-ifconfig/tasks/set_facts_from_ansible.yml index 5f6f4011..b358801d 100644 --- a/networkd-to-ifconfig/tasks/set_facts_from_ansible.yml +++ b/networkd-to-ifconfig/tasks/set_facts_from_ansible.yml @@ -1,13 +1,13 @@ --- - name: Prepare variables (IPv4) - set_fact: + ansible.builtin.set_fact: eni_ipv4_address: "{{ ansible_default_ipv4.address | ipv4 }}" eni_ipv4_gateway: "{{ ansible_default_ipv4.gateway | ipv4 }}" when: ansible_default_ipv4 | length > 0 - name: Prepare variables (IPv6) - set_fact: + ansible.builtin.set_fact: eni_ipv6_address: "{{ ansible_default_ipv6.address | ipv6 | first }}" eni_ipv6_gateway: "{{ ansible_default_ipv6.gateway | ipv6 | first }}" when: ansible_default_ipv6 | length > 0 diff --git a/networkd-to-ifconfig/tasks/set_facts_from_systemd.yml b/networkd-to-ifconfig/tasks/set_facts_from_systemd.yml index d21012fd..66dc648c 100644 --- a/networkd-to-ifconfig/tasks/set_facts_from_systemd.yml +++ b/networkd-to-ifconfig/tasks/set_facts_from_systemd.yml @@ -1,17 +1,19 @@ --- - name: "Parse addresses" - shell: "grep Address= /etc/systemd/network/50-default.network | cut -d'=' -f2" + ansible.builtin.shell: + cmd: "grep Address= /etc/systemd/network/50-default.network | cut -d'=' -f2" register: network_address_grep check_mode: no - name: "Parse gateways" - shell: "grep Gateway= /etc/systemd/network/50-default.network | cut -d'=' -f2" + ansible.builtin.shell: + cmd: "grep Gateway= /etc/systemd/network/50-default.network | cut -d'=' -f2" register: network_gateway_grep check_mode: no - name: Prepare variables - set_fact: + ansible.builtin.set_fact: eni_ipv4_address: "{{ network_address_grep.stdout_lines | ipv4 | first }}" eni_ipv4_gateway: "{{ network_gateway_grep.stdout_lines | ipv4 | first }}" eni_ipv6_address: "{{ network_address_grep.stdout_lines | ipv6 | first }}" diff --git a/newrelic/handlers/main.yml b/newrelic/handlers/main.yml index 4ad78be9..ffa52956 100644 --- a/newrelic/handlers/main.yml +++ b/newrelic/handlers/main.yml @@ -1,20 +1,20 @@ --- - name: reload squid3 - service: + ansible.builtin.service: name: squid3 state: reloaded - name: reload squid - service: + ansible.builtin.service: name: squid state: reloaded - name: apt update - apt: + ansible.builtin.apt: update_cache: yes - name: restart newrelic-sysmond - systemd: + ansible.builtin.systemd: name: newrelic-sysmond state: restarted diff --git a/newrelic/tasks/main.yml b/newrelic/tasks/main.yml index a4e8f2b3..e2c49021 100644 --- a/newrelic/tasks/main.yml +++ b/newrelic/tasks/main.yml @@ -1,9 +1,9 @@ --- -- include: sources.yml +- ansible.builtin.include: sources.yml -- include: php.yml +- ansible.builtin.include: php.yml when: newrelic_php | bool -- include: sysmond.yml +- ansible.builtin.include: sysmond.yml when: newrelic_sysmond | bool diff --git a/nginx/handlers/main.yml b/nginx/handlers/main.yml index 494d40f4..bdd5f477 100644 --- a/nginx/handlers/main.yml +++ b/nginx/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart nginx - service: + ansible.builtin.service: name: nginx state: restarted - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded - name: restart munin - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/nginx/tasks/ip_whitelist.yml b/nginx/tasks/ip_whitelist.yml index 2667d1d3..fc4fd2d2 100644 --- a/nginx/tasks/ip_whitelist.yml +++ b/nginx/tasks/ip_whitelist.yml @@ -1,7 +1,7 @@ --- - name: add IP addresses to private IP whitelist - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/snippets/ipaddr_whitelist line: "allow {{ item }};" state: present @@ -12,7 +12,7 @@ - ips - name: remove IP addresses from private IP whitelist - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/snippets/ipaddr_whitelist line: "allow {{ item }};" state: absent diff --git a/nginx/tasks/logrotate.yml b/nginx/tasks/logrotate.yml index c987c2f7..d475e419 100644 --- a/nginx/tasks/logrotate.yml +++ b/nginx/tasks/logrotate.yml @@ -1,7 +1,7 @@ --- - name: Logrotate is configured for Nginx - copy: + ansible.builtin.copy: src: logrotate_nginx dest: /etc/logrotate.d/nginx force: no diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index e7abc1b5..aec36bec 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -1,16 +1,16 @@ --- -- debug: +- ansible.builtin.debug: msg: "Nginx minimal mode has been removed, falling back to normal mode." when: not nginx_minimal | bool -- debug: +- ansible.builtin.debug: msg: "Nginx minimal mode has been set, using minimal mode." when: nginx_minimal | bool -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: server_status_read.yml +- ansible.builtin.include: server_status_read.yml tags: - nginx @@ -18,7 +18,7 @@ # without touching the main file - name: customize worker_connections - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/nginx.conf regexp: '^(\s*worker_connections)\s+.+;' line: ' worker_connections 1024;' @@ -27,7 +27,7 @@ - nginx - name: use epoll - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/nginx.conf regexp: '^(\s*use)\s+.+;' line: ' use epoll;' @@ -36,7 +36,7 @@ - nginx - name: Install Nginx http configuration - copy: + ansible.builtin.copy: src: nginx/evolinux-defaults.conf dest: /etc/nginx/conf.d/z-evolinux-defaults.conf mode: "0640" @@ -50,7 +50,7 @@ # and not too loose for private_htpasswd - name: Copy ipaddr_whitelist - copy: + ansible.builtin.copy: src: nginx/snippets/ipaddr_whitelist dest: /etc/nginx/snippets/ipaddr_whitelist owner: www-data @@ -64,10 +64,10 @@ - ips - name: Include IP address whitelist task - include: ip_whitelist.yml + ansible.builtin.include: ip_whitelist.yml - name: Copy evolinux_server_custom - copy: + ansible.builtin.copy: src: nginx/snippets/evolinux_server_custom dest: /etc/nginx/snippets/evolinux_server_custom owner: www-data @@ -81,7 +81,7 @@ - ips - name: Copy private_htpasswd - copy: + ansible.builtin.copy: src: nginx/snippets/private_htpasswd dest: /etc/nginx/snippets/private_htpasswd owner: www-data @@ -94,7 +94,7 @@ - nginx - name: add user:pwd to private htpasswd - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/snippets/private_htpasswd line: "{{ item }}" state: present @@ -104,7 +104,7 @@ - nginx - name: remove user:pwd from private htpasswd - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/snippets/private_htpasswd line: "{{ item }}" state: absent @@ -114,7 +114,7 @@ - nginx - name: nginx vhost is installed - template: + ansible.builtin.template: src: "{{ nginx_default_template_regular }}" dest: /etc/nginx/sites-available/evolinux-default.conf mode: "0640" @@ -124,7 +124,7 @@ - nginx - name: default vhost is enabled - file: + ansible.builtin.file: src: /etc/nginx/sites-available/evolinux-default.conf dest: /etc/nginx/sites-enabled/default state: link @@ -134,12 +134,12 @@ tags: - nginx -- include: server_status_write.yml +- ansible.builtin.include: server_status_write.yml tags: - nginx - name: Verify that the service is enabled and started - service: + ansible.builtin.service: name: nginx enabled: yes state: started @@ -147,7 +147,7 @@ - nginx - name: Check if Munin is installed - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: stat_munin_node @@ -155,16 +155,16 @@ - nginx - munin -- include: munin_vhost.yml +- ansible.builtin.include: munin_vhost.yml when: stat_munin_node.stat.exists tags: - nginx - munin -- include: munin_graphs.yml +- ansible.builtin.include: munin_graphs.yml when: stat_munin_node.stat.exists tags: - nginx - munin -- include: logrotate.yml +- ansible.builtin.include: logrotate.yml diff --git a/nginx/tasks/munin_graphs.yml b/nginx/tasks/munin_graphs.yml index 5958c856..f2a6e4b5 100644 --- a/nginx/tasks/munin_graphs.yml +++ b/nginx/tasks/munin_graphs.yml @@ -1,14 +1,14 @@ --- - name: Munin config for Nginx is present - template: + ansible.builtin.template: src: munin/evolinux.nginx dest: /etc/munin/plugin-conf.d/ mode: "0644" notify: restart munin - name: Munin plugins for Nginx are installed - file: + ansible.builtin.file: src: '/usr/share/munin/plugins/{{ item }}' dest: '/etc/munin/plugins/{{ item }}' state: link diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml index 5aa137c9..98cc8672 100644 --- a/nginx/tasks/munin_vhost.yml +++ b/nginx/tasks/munin_vhost.yml @@ -1,13 +1,13 @@ --- - name: Add munin to hosts - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts regexp: 'munin$' line: '127.0.0.1 munin' insertafter: EOF - name: Packages for Munin CGI are installed - apt: + ansible.builtin.apt: name: - liblwp-useragent-determined-perl - libcgi-fast-perl @@ -15,22 +15,24 @@ state: present - name: Owner for munin-cgi is set to www-data:munin - shell: "chown --verbose www-data:munin /var/log/munin/munin-cgi-*" + ansible.builtin.shell: + cmd: "chown --verbose www-data:munin /var/log/munin/munin-cgi-*" register: command_result changed_when: "'changed' in command_result.stdout" - name: Mode for munin-cgi is set to 660 - shell: "chmod --verbose 660 /var/log/munin/munin-cgi-*" + ansible.builtin.shell: + cmd: "chmod --verbose 660 /var/log/munin/munin-cgi-*" register: command_result changed_when: "'changed' in command_result.stdout" - name: Systemd unit for Munin-fcgi is installed - copy: + ansible.builtin.copy: src: systemd/spawn-fcgi-munin-graph.service dest: /etc/systemd/system/spawn-fcgi-munin-graph.service - name: Systemd unit for Munin-fcgi is started - systemd: + ansible.builtin.systemd: name: spawn-fcgi-munin-graph daemon_reload: yes enabled: yes diff --git a/nginx/tasks/packages.yml b/nginx/tasks/packages.yml index f2c0596f..fd9febcf 100644 --- a/nginx/tasks/packages.yml +++ b/nginx/tasks/packages.yml @@ -1,16 +1,16 @@ -- set_fact: +- ansible.builtin.set_fact: nginx_default_package_name: nginx-light when: nginx_minimal | bool -- include: packages_backports.yml +- ansible.builtin.include: packages_backports.yml when: nginx_backports | bool # TODO: install "nginx" + only necessary modules, instead of "nginx-full" - name: Nginx is installed - apt: + ansible.builtin.apt: name: "{{ nginx_package_name | default(nginx_default_package_name) }}" state: present tags: diff --git a/nginx/tasks/packages_backports.yml b/nginx/tasks/packages_backports.yml index 820d8713..aac2304d 100644 --- a/nginx/tasks/packages_backports.yml +++ b/nginx/tasks/packages_backports.yml @@ -1,7 +1,7 @@ --- - name: Backports repository is configured - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: backports.yml tags: @@ -9,7 +9,7 @@ - packages - name: Prefer Nginx packages from backports - template: + ansible.builtin.template: src: apt/nginx_preferences dest: /etc/apt/preferences.d/999-nginx force: yes @@ -20,7 +20,7 @@ - packages - name: APT cache is updated - apt: + ansible.builtin.apt: update_cache: yes when: nginx_apt_preferences is changed tags: diff --git a/nginx/tasks/server_status_read.yml b/nginx/tasks/server_status_read.yml index 652bc154..e97d898a 100644 --- a/nginx/tasks/server_status_read.yml +++ b/nginx/tasks/server_status_read.yml @@ -1,7 +1,7 @@ --- - name: "server status dirname exists '{{ nginx_serverstatus_suffix_file | dirname }}'" - file: + ansible.builtin.file: dest: "{{ nginx_serverstatus_suffix_file | dirname }}" mode: "0700" owner: root @@ -9,7 +9,7 @@ state: directory - name: set nginx serverstatus suffix if provided - copy: + ansible.builtin.copy: dest: "{{ nginx_serverstatus_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ nginx_serverstatus_suffix }}\u000A" @@ -17,20 +17,22 @@ when: nginx_serverstatus_suffix | length > 0 - name: generate random string for server-status suffix - shell: "apg -a 1 -M N -n 1 > {{ nginx_serverstatus_suffix_file }}" + ansible.builtin.shell: + cmd: "apg -a 1 -M N -n 1 > {{ nginx_serverstatus_suffix_file }}" args: creates: "{{ nginx_serverstatus_suffix_file }}" - name: read nginx server status suffix - command: "tail -n 1 {{ nginx_serverstatus_suffix_file }}" + ansible.builtin.command: + cmd: "tail -n 1 {{ nginx_serverstatus_suffix_file }}" changed_when: False check_mode: no register: new_nginx_serverstatus_suffix - name: overwrite nginx_serverstatus_suffix - set_fact: + ansible.builtin.set_fact: nginx_serverstatus_suffix: "{{ new_nginx_serverstatus_suffix.stdout }}" -- debug: +- ansible.builtin.debug: var: nginx_serverstatus_suffix verbosity: 1 diff --git a/nginx/tasks/server_status_write.yml b/nginx/tasks/server_status_write.yml index beb56c67..dbed56cb 100644 --- a/nginx/tasks/server_status_write.yml +++ b/nginx/tasks/server_status_write.yml @@ -1,19 +1,19 @@ --- - name: replace server-status suffix in default site index - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ nginx_serverstatus_suffix }}" - name: add server-status suffix in default site index if missing - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ nginx_serverstatus_suffix }}"' - name: add server-status suffix in default VHost - replace: + ansible.builtin.replace: dest: /etc/nginx/sites-available/evolinux-default.conf regexp: 'location /server-status-? {' replace: 'location /server-status-{{ nginx_serverstatus_suffix }} {' diff --git a/ntpd/handlers/main.yml b/ntpd/handlers/main.yml index 333d30de..70b41926 100644 --- a/ntpd/handlers/main.yml +++ b/ntpd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart ntp - service: + ansible.builtin.service: name: ntp state: restarted diff --git a/ntpd/tasks/main.yml b/ntpd/tasks/main.yml index 2d66d765..ac5f8288 100644 --- a/ntpd/tasks/main.yml +++ b/ntpd/tasks/main.yml @@ -1,20 +1,20 @@ --- - name: Remove openntpd package - apt: + ansible.builtin.apt: name: openntpd state: absent tags: - ntp - name: Install ntp package - apt: + ansible.builtin.apt: name: ntp state: present tags: - ntp - name: Copy ntp config - template: + ansible.builtin.template: src: ntp.conf.j2 dest: /etc/ntp.conf mode: "0644" diff --git a/opendkim/handlers/main.yml b/opendkim/handlers/main.yml index ccf166a8..3cc7b05f 100644 --- a/opendkim/handlers/main.yml +++ b/opendkim/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: reload opendkim - systemd: + ansible.builtin.systemd: name: opendkim state: reloaded - name: restart opendkim - systemd: + ansible.builtin.systemd: name: opendkim state: restarted diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index 94aa3dfd..1c7a416a 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install OpenDKIM - apt: + ansible.builtin.apt: name: - opendkim - opendkim-tools @@ -11,7 +11,7 @@ - opendkim - name: Add user opendkim in ssl-cert group - user: + ansible.builtin.user: name: opendkim groups: ssl-cert state: present @@ -20,7 +20,7 @@ - opendkim - name: add 127.0.0.1 to TrustedHosts - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/opendkim/TrustedHosts' line: '127.0.0.1' create: True @@ -32,7 +32,7 @@ - opendkim - name: create config files - file: + ansible.builtin.file: name: "/etc/opendkim/{{ item }}" state: touch owner: opendkim @@ -46,7 +46,7 @@ - opendkim - name: copy OpenDKIM config - copy: + ansible.builtin.copy: src: opendkim.conf dest: /etc/opendkim.conf mode: "0644" @@ -57,7 +57,7 @@ - name: Set folder permissions to 0750 - file: + ansible.builtin.file: path: "/etc/opendkim/" owner: opendkim group: opendkim @@ -67,18 +67,18 @@ - opendkim - name: ensure opendkim is started and enabled - systemd: + ansible.builtin.systemd: name: opendkim state: started enabled: True tags: - opendkim -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: deploy opendkim-add.sh script - copy: + ansible.builtin.copy: src: opendkim-add.sh dest: /usr/share/scripts/opendkim-add.sh mode: "0750" diff --git a/openvpn/handlers/main.yml b/openvpn/handlers/main.yml index 44b0de93..cc74ea52 100644 --- a/openvpn/handlers/main.yml +++ b/openvpn/handlers/main.yml @@ -1,14 +1,15 @@ --- - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart nrpe - service: + ansible.builtin.service: name: nrpe state: restarted - name: reload packetfilter - command: pfctl -f /etc/pf.conf + ansible.builtin.command: + cmd: pfctl -f /etc/pf.conf diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index bee05d9e..9810a472 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -1,11 +1,11 @@ --- - name: Install OpenVPN - apt: + ansible.builtin.apt: name: openvpn - name: Delete unwanted OpenVPN folders - file: + ansible.builtin.file: state: absent dest: "/etc/openvpn/{{ item }}" with_items: @@ -13,7 +13,7 @@ - server - name: Create the _openvpn user - user: + ansible.builtin.user: name: _openvpn system: yes create_home: no @@ -21,7 +21,7 @@ shell: "/usr/sbin/nologin" - name: Create the shellpki user - user: + ansible.builtin.user: name: shellpki system: yes create_home: no @@ -29,18 +29,18 @@ shell: "/usr/sbin/nologin" - name: Create /etc/shellpki - file: + ansible.builtin.file: dest: "/etc/shellpki" mode: "0755" owner: shellpki group: shellpki state: directory -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Copy shellpki files - copy: + ansible.builtin.copy: src: "shellpki/{{ item.source }}" dest: "{{ item.destination }}" mode: "{{ item.mode }}" @@ -51,7 +51,7 @@ - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "root" } - name: Add sudo rights - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/sudoers.d/shellpki" regexp: '/usr/local/sbin/shellpki' line: "%shellpki ALL = (root) /usr/local/sbin/shellpki" @@ -62,7 +62,7 @@ validate: 'visudo -cf %s' - name: Deploy OpenVPN client config template - template: + ansible.builtin.template: src: "ovpn.conf.j2" dest: "/etc/shellpki/ovpn.conf" mode: "0600" @@ -70,15 +70,15 @@ group: shellpki - name: Generate dhparam - openssl_dhparam: + community.crypto.openssl_dhparam: path: /etc/shellpki/dh2048.pem size: 2048 -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Deploy OpenVPN server config - template: + ansible.builtin.template: src: "server.conf.j2" dest: "/etc/openvpn/server.conf" mode: "0600" @@ -86,21 +86,22 @@ group: root - name: Is minifirewall installed ? - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" check_mode: no changed_when: False register: minifirewall_config - name: Retrieve the default interface - shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2" + ansible.builtin.shell: + cmd: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2" check_mode: no changed_when: False register: minifirewall_int when: minifirewall_config.stat.exists - name: Add minifirewall rule in config file - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "{{ item }}" with_items: @@ -109,7 +110,7 @@ when: minifirewall_config.stat.exists - name: Activate minifirewall rule - iptables: + ansible.builtin.iptables: table: nat chain: POSTROUTING source: "{{ openvpn_lan }}/{{ openvpn_netmask_cidr }}" @@ -118,7 +119,7 @@ when: minifirewall_config.stat.exists - name: Add 1194/udp OpenVPN port to public services in minifirewall - replace: + ansible.builtin.replace: dest: "/etc/default/minifirewall" regexp: "^SERVICESUDP1='(.*)?'$" replace: "SERVICESUDP1='\\1 1194'" @@ -126,7 +127,7 @@ when: minifirewall_config.stat.exists - name: Activate minifirewall rule for IPv4 - iptables: + ansible.builtin.iptables: chain: INPUT protocol: udp destination_port: "1194" @@ -135,7 +136,7 @@ when: minifirewall_config.stat.exists - name: Activate minifirewall rule for IPv6 - iptables: + ansible.builtin.iptables: chain: INPUT protocol: udp destination_port: "1194" @@ -144,23 +145,23 @@ when: minifirewall_config.stat.exists - name: Enable forwarding - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward value: "1" sysctl_file: "/etc/sysctl.d/openvpn.conf" - name: Configure logrotate for OpenVPN - copy: + ansible.builtin.copy: src: logrotate_openvpn dest: /etc/logrotate.d/openvpn force: no - name: Generate a password for the management interface - set_fact: + ansible.builtin.set_fact: management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}" - name: Set the management password - copy: + ansible.builtin.copy: dest: "/etc/openvpn/management-pwd" content: "{{ management_pwd }}" mode: "0600" @@ -168,27 +169,27 @@ group: root - name: Enable openvpn service - systemd: + ansible.builtin.systemd: name: "openvpn@server.service" enabled: yes - name: Is NRPE installed ? - stat: + ansible.builtin.stat: path: "/etc/nagios/nrpe.d/evolix.cfg" check_mode: no changed_when: False register: nrpe_evolix_config - name: Install NRPE check dependencies - apt: + ansible.builtin.apt: name: libnet-telnet-perl when: nrpe_evolix_config.stat.exists -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Install OpenVPN NRPE check - copy: + ansible.builtin.copy: src: "files/check_openvpn_debian.pl" dest: "/usr/local/lib/nagios/plugins/check_openvpn" mode: "0755" @@ -197,18 +198,18 @@ when: nrpe_evolix_config.stat.exists - name: Configure NRPE OpenVPN check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/nagios/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn\]=' line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}" notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Install OpenVPN certificates NRPE check - copy: + ansible.builtin.copy: src: "files/check_openvpn_certificates.sh" dest: "/usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" mode: "0755" @@ -217,7 +218,7 @@ when: nrpe_evolix_config.stat.exists - name: Add sudo rights for NRPE check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/sudoers.d/openvpn" regexp: 'check_openvpn_certificates.sh' line: "nagios ALL=NOPASSWD: /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" @@ -229,18 +230,18 @@ when: nrpe_evolix_config.stat.exists - name: Configure NRPE certificates check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/nagios/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn_certificates\]=' line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Copy script to check expirations - copy: + ansible.builtin.copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" mode: "0700" @@ -248,42 +249,45 @@ group: root - name: Install cron to warn about certificates expiration - cron: + ansible.builtin.cron: name: "OpenVPN certificates expiration" special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password - set_fact: + ansible.builtin.set_fact: ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" check_mode: no changed_when: no - name: Initialization of the CA - shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' + ansible.builtin.shell: + cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' - name: Creation of the server's certificate - shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' + ansible.builtin.shell: + cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' - name: Get the server key - shell: 'ls -tr /etc/shellpki/private/ | tail -1' + ansible.builtin.shell: + cmd: 'ls -tr /etc/shellpki/private/ | tail -1' register: ca_key check_mode: no changed_when: no - name: Configure the server key - replace: + ansible.builtin.replace: path: /etc/openvpn/server.conf regexp: 'key /etc/shellpki/private/TO_COMPLETE' replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' - name: Restart OpenVPN - systemd: + ansible.builtin.systemd: name: "openvpn@server.service" state: restarted - name: Warn the user about manual checks - pause: + ansible.builtin.pause: prompt: | /!\ WARNING /!\ You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "systemctl restart openvpn@server.service". diff --git a/openvpn/tasks/main.yml b/openvpn/tasks/main.yml index 1e20772a..26a04ee7 100644 --- a/openvpn/tasks/main.yml +++ b/openvpn/tasks/main.yml @@ -1,15 +1,15 @@ --- - name: System compatibility checks - assert: + ansible.builtin.assert: that: "ansible_distribution == 'Debian' or ansible_distribution == 'OpenBSD'" msg: "Only compatible with Debian and OpenBSD" - name: Include Debian version - include: debian.yml + ansible.builtin.include: debian.yml when: ansible_distribution == "Debian" - name: Include OpenBSD version - include: openbsd.yml + ansible.builtin.include: openbsd.yml when: ansible_distribution == "OpenBSD" diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index e33923e1..28781880 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -1,12 +1,12 @@ --- - name: Install OpenVPN - openbsd_pkg: + community.general.openbsd_pkg: name: openvpn-- when: ansible_distribution == 'OpenBSD' - name: Create /etc/openvpn - file: + ansible.builtin.file: dest: "/etc/openvpn" state: directory owner: root @@ -14,7 +14,7 @@ mode: "0755" - name: Create the shellpki user - user: + ansible.builtin.user: name: _shellpki system: yes create_home: no @@ -22,7 +22,7 @@ shell: "/sbin/nologin" - name: Create /etc/shellpki - file: + ansible.builtin.file: dest: "/etc/shellpki" state: directory owner: _shellpki @@ -30,7 +30,7 @@ mode: "0755" - name: Copy shellpki files - copy: + ansible.builtin.copy: src: "shellpki/{{ item.source }}" dest: "{{ item.destination }}" mode: "{{ item.mode }}" @@ -41,14 +41,14 @@ - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "wheel" } - name: Add sudo rights - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/sudoers" regexp: '/usr/local/sbin/shellpki' line: "%_shellpki ALL = (root) /usr/local/sbin/shellpki" validate: 'visudo -cf %s' - name: Deploy OpenVPN client config template - template: + ansible.builtin.template: src: "ovpn.conf.j2" dest: "/etc/shellpki/ovpn.conf" mode: "0640" @@ -56,12 +56,12 @@ group: _shellpki - name: Generate dhparam - openssl_dhparam: + community.crypto.openssl_dhparam: path: /etc/shellpki/dh2048.pem size: 2048 - name: Deploy OpenVPN server config - template: + ansible.builtin.template: src: "server.conf.j2" dest: "/etc/openvpn/server.conf" mode: "0600" @@ -69,7 +69,7 @@ group: wheel - name: Configure PacketFilter - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/pf.conf" line: "{{ item }}" validate: 'pfctl -nf %s' @@ -79,7 +79,7 @@ - "pass in quick on $ext_if proto udp from any to self port 1194" - name: Create a cron to rotate the logs - cron: + ansible.builtin.cron: name: "OpenVPN logs rotation" weekday: "6" hour: "4" @@ -87,11 +87,11 @@ job: "cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo \"$(date +\\%F' '\\%R) - logfile turned over via cron\" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name \"openvpn.log.*\" -mtime +365 -exec rm {} \\+" - name: Generate a password for the management interface - set_fact: + ansible.builtin.set_fact: management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}" - name: Set the management password - copy: + ansible.builtin.copy: dest: "/etc/openvpn/management-pwd" content: "{{ management_pwd }}" mode: "0600" @@ -99,30 +99,30 @@ group: wheel - name: Enable openvpn service - service: + ansible.builtin.service: name: openvpn enabled: yes - name: Set openvpn flags - lineinfile: + ansible.builtin.lineinfile: dest: /etc/rc.conf.local regexp: "^openvpn_flags=" line: "openvpn_flags=--daemon --config /etc/openvpn/server.conf" create: yes - name: Is NRPE installed ? - stat: + ansible.builtin.stat: path: "/etc/nrpe.d/evolix.cfg" check_mode: no register: nrpe_evolix_config - name: Install NRPE check dependencies - openbsd_pkg: + community.general.openbsd_pkg: name: p5-Net-Telnet when: nrpe_evolix_config.stat.exists - name: Install OpenVPN NRPE check - copy: + ansible.builtin.copy: src: "files/check_openvpn_openbsd.pl" dest: "/usr/local/libexec/nagios/plugins/check_openvpn.pl" mode: "0755" @@ -131,7 +131,7 @@ when: nrpe_evolix_config.stat.exists - name: Configure NRPE OpenVPN check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn\]=' line: "command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P {{ management_pwd }}" @@ -143,7 +143,7 @@ when: nrpe_evolix_config.stat.exists - name: Install OpenVPN certificates NRPE check - copy: + ansible.builtin.copy: src: "files/check_openvpn_certificates.sh" dest: "/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh" mode: "0755" @@ -152,7 +152,7 @@ when: nrpe_evolix_config.stat.exists - name: Add doas rights for NRPE check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/doas.conf" regexp: 'check_openvpn_certificates.sh' line: "permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh" @@ -160,7 +160,7 @@ when: nrpe_evolix_config.stat.exists - name: Configure NRPE certificates check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn_certificates\]=' line: "command[check_openvpn_certificates]=doas /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh" @@ -168,7 +168,7 @@ when: nrpe_evolix_config.stat.exists - name: Copy script to check expirations - copy: + ansible.builtin.copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" mode: "0700" @@ -176,42 +176,45 @@ group: wheel - name: Install cron to warn about certificates expiration - cron: + ansible.builtin.cron: name: "OpenVPN certificates expiration" special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password - set_fact: + ansible.builtin.set_fact: ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" check_mode: no changed_when: no - name: Initialization of the CA - shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' + ansible.builtin.shell: + cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' - name: Creation of the server's certificate - shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' + ansible.builtin.shell: + cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' - name: Get the server key - shell: 'ls -tr /etc/shellpki/private/ | tail -1' + ansible.builtin.shell: + cmd: 'ls -tr /etc/shellpki/private/ | tail -1' register: ca_key check_mode: no changed_when: no - name: Configure the server key - replace: + ansible.builtin.replace: path: /etc/openvpn/server.conf regexp: 'key /etc/shellpki/private/TO_COMPLETE' replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' - name: Restart OpenVPN - service: + ansible.builtin.service: name: openvpn state: restarted - name: Warn the user about manual checks - pause: + ansible.builtin.pause: prompt: | /!\ WARNING /!\ You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn". diff --git a/packweb-apache/handlers/main.yml b/packweb-apache/handlers/main.yml index af4d94d2..f9170bc9 100644 --- a/packweb-apache/handlers/main.yml +++ b/packweb-apache/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart apache - service: + ansible.builtin.service: name: apache2 state: restarted - name: reload apache - service: + ansible.builtin.service: name: apache2 state: reloaded diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 96c11e3a..434e75d0 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -1,14 +1,15 @@ --- - name: Check if Apache envvars have a PATH - command: "grep -E '^export PATH ' /etc/apache2/envvars" + ansible.builtin.command: + cmd: "grep -E '^export PATH ' /etc/apache2/envvars" failed_when: False changed_when: False register: envvar_grep_path check_mode: no - name: Add a PATH envvar for Apache - blockinfile: + ansible.builtin.blockinfile: dest: /etc/apache2/envvars marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH" block: | @@ -17,7 +18,7 @@ when: envvar_grep_path.rc != 0 - name: Additional packages are installed - apt: + ansible.builtin.apt: name: - libapache2-mod-security2 - modsecurity-crs @@ -25,7 +26,7 @@ state: present - name: Additional modules are enabled - apache2_module: + community.general.apache2_module: name: '{{ item }}' state: present loop: @@ -36,7 +37,7 @@ - log_forensic - name: Copy Apache settings for modules - copy: + ansible.builtin.copy: src: "evolinux-modsec.conf" dest: "/etc/apache2/conf-available/evolinux-modsec.conf" owner: root @@ -45,7 +46,7 @@ force: no - name: Copy Apache settings for modules - template: + ansible.builtin.template: src: "evolinux-evasive.conf.j2" dest: "/etc/apache2/conf-available/evolinux-evasive.conf" owner: root @@ -54,7 +55,8 @@ force: no - name: Ensure Apache modules configs are enabled - command: "a2enconf {{ item }}" + ansible.builtin.command: + cmd: "a2enconf {{ item }}" register: command_result changed_when: "'Enabling' in command_result.stderr" loop: diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index 5ea0fa57..08c94381 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -1,11 +1,11 @@ --- - name: Install awstats - apt: + ansible.builtin.apt: name: awstats state: present - name: Configure awstats - blockinfile: + ansible.builtin.blockinfile: dest: /etc/awstats/awstats.conf.local marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB" block: | @@ -24,7 +24,7 @@ mode: "0644" - name: Create conf-available/awstats-icon.conf file - copy: + ansible.builtin.copy: dest: /etc/apache2/conf-available/awstats-icon.conf content: | Alias /awstats-icon/ /usr/share/awstats/icon/ @@ -35,20 +35,21 @@ mode: "0644" - name: Enable apache awstats-icon configuration - command: "a2enconf awstats-icon" + ansible.builtin.command: + cmd: "a2enconf awstats-icon" register: command_result changed_when: "'Enabling' in command_result.stderr" notify: reload apache - name: Create awstats cron - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cron.d/awstats create: yes regexp: '-config=awstats' line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" - name: Comment default awstat cron's tasks - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cron.d/awstats regexp: "(?i)^([^#]*update\\.sh.*)" line: '#\1' diff --git a/packweb-apache/tasks/dependencies.yml b/packweb-apache/tasks/dependencies.yml index c22d4e0b..cd0efd40 100644 --- a/packweb-apache/tasks/dependencies.yml +++ b/packweb-apache/tasks/dependencies.yml @@ -1,21 +1,21 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/apache -- include_role: +- ansible.builtin.include_role: name: evolix/php vars: php_apache_enable: True when: packweb_apache_modphp -- include_role: +- ansible.builtin.include_role: name: evolix/php vars: php_fpm_enable: True when: packweb_apache_fpm -- include_role: +- ansible.builtin.include_role: name: evolix/squid vars: squid_localproxy_enable: True @@ -24,53 +24,53 @@ name: evolix/mysql when: packweb_mysql_variant == "debian" -- include_role: +- ansible.builtin.include_role: name: evolix/mysql-oracle when: packweb_mysql_variant == "oracle" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php56 lxc_php_create_mysql_link: True when: "'php56' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php70 lxc_php_create_mysql_link: True when: "'php70' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php73 lxc_php_create_mysql_link: True when: "'php73' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php74 lxc_php_create_mysql_link: True when: "'php74' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php80 lxc_php_create_mysql_link: True when: "'php80' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php81 lxc_php_create_mysql_link: True when: "'php81' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/webapps/evoadmin-web vars: evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" diff --git a/packweb-apache/tasks/fhs_retrictions.yml b/packweb-apache/tasks/fhs_retrictions.yml index 7fa41478..6cb486d6 100644 --- a/packweb-apache/tasks/fhs_retrictions.yml +++ b/packweb-apache/tasks/fhs_retrictions.yml @@ -1,7 +1,8 @@ --- - name: Remove read permission on some folders (/, /etc, ...) - shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}" + ansible.builtin.shell: + cmd: "test -d {{ item }} && chmod --verbose o-r {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" failed_when: False @@ -25,7 +26,8 @@ - /etc/default - name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...) - shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}" + ansible.builtin.shell: + cmd: "test -d {{ item }} && chmod --verbose 750 {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" failed_when: False @@ -41,13 +43,14 @@ - /var/log/installer - name: Change group to www-data for /etc/phpmyadmin/ - file: + ansible.builtin.file: dest: /etc/phpmyadmin/ group: www-data state: directory - name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...) - shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}" + ansible.builtin.shell: + cmd: "test -f {{ item }} && chmod --verbose u-s {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" failed_when: False @@ -59,7 +62,8 @@ - /usr/bin/mtr - name: Set 640 permission on some files (/var/log/evolix.log, ...) - shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}" + ansible.builtin.shell: + cmd: "test -f {{ item }} && chmod --verbose 640 {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" failed_when: False diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index c0a44935..7843a642 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -1,46 +1,46 @@ --- - name: Dependencies are satisfied - include_tasks: dependencies.yml + ansible.builtin.include_tasks: dependencies.yml -- fail: +- ansible.builtin.fail: msg: only compatible with Debian >= 8 when: - ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<') - name: Additional packages are installed - apt: + ansible.builtin.apt: name: - zip - unzip state: present - name: install info.php - copy: + ansible.builtin.copy: src: info.php dest: /var/www/info.php mode: "0644" - name: enable info.php link in default site index - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html line: '
  • Infos PHP
    • ' regexp: "Infos PHP" - name: install opcache.php - copy: + ansible.builtin.copy: src: opcache.php dest: /var/www/opcache.php mode: "0644" - name: enable opcache.php link in default site index - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html line: '
  • Infos OpCache PHP
    • ' regexp: "Infos OpCache PHP" - name: Add elements to user account template - file: + ansible.builtin.file: path: "/etc/skel/{{ item.path }}" state: "{{ item.state }}" mode: "{{ item.mode }}" @@ -50,7 +50,8 @@ - { path: www, mode: "0750", state: directory } - name: Apache log file (templates) are present - command: "touch /etc/skel/log/{{ item }}" + ansible.builtin.command: + cmd: "touch /etc/skel/log/{{ item }}" args: creates: "/etc/skel/log/{{ item }}" loop: @@ -58,37 +59,37 @@ - error.log - name: Apache log file (templates) have the proper permissions - file: + ansible.builtin.file: dest: "/etc/skel/log/{{ item }}" mode: "0644" loop: - access.log - error.log -- include_role: +- ansible.builtin.include_role: name: userlogrotate - name: Force DIR_MODE to 0750 in /etc/adduser.conf - lineinfile: + ansible.builtin.lineinfile: dest: /etc/adduser.conf regexp: '^DIR_MODE=' line: 'DIR_MODE=0750' -- include: apache.yml +- ansible.builtin.include: apache.yml -- include: phpmyadmin.yml +- ansible.builtin.include: phpmyadmin.yml -- include: awstats.yml +- ansible.builtin.include: awstats.yml -- include: fhs_retrictions.yml +- ansible.builtin.include: fhs_retrictions.yml when: packweb_fhs_retrictions | bool - name: Periodically cache ftp directory sizes for ftpadmin.sh - cron: + ansible.builtin.cron: name: "ProFTPd directory size caching" special_time: daily job: "/usr/share/scripts/evoadmin/stats.sh" -- include: multiphp.yml +- ansible.builtin.include: multiphp.yml when: packweb_multiphp_versions | length > 0 diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 8a7c9613..b6719374 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -1,16 +1,16 @@ --- - name: Enable proxy_fcgi - apache2_module: + community.general.apache2_module: state: present name: proxy_fcgi notify: restart apache2 -- include_role: +- ansible.builtin.include_role: name: remount-usr - name: Copy phpContainer script - copy: + ansible.builtin.copy: src: phpContainer dest: /usr/local/bin/phpContainer mode: "0755" @@ -27,7 +27,7 @@ # line: "alias php='sudo /usr/local/bin/phpContainer'" - name: Add multiphp sudoers file - copy: + ansible.builtin.copy: src: multiphp-sudoers dest: /etc/sudoers.d/multiphp mode: "0600" diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index f83b0a5d..11832300 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -1,18 +1,18 @@ --- - name: Install apg - apt: + ansible.builtin.apt: name: apg # On Debian 10, we need to install the package from buster-backports - name: Enable backports (Debian 10) - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: backports.yml when: ansible_distribution_major_version is version('10', '=') - name: Prefer phpMyAdmin package from backports (Debian 10) - template: + ansible.builtin.template: src: phpmyadmin_apt_preferences.j2 dest: /etc/apt/preferences.d/999-phpmyadmin force: yes @@ -20,27 +20,28 @@ when: ansible_distribution_major_version is version('10', '=') - name: Install phpmyadmin - apt: + ansible.builtin.apt: name: phpmyadmin update_cache: yes - name: Check if phpmyadmin default configuration is present - stat: + ansible.builtin.stat: path: /etc/apache2/conf-enabled/phpmyadmin.conf register: pma_default_config -- debug: +- ansible.builtin.debug: var: pma_default_config verbosity: 1 - name: Disable phpmyadmin default configuration - command: "a2disconf phpmyadmin" + ansible.builtin.command: + cmd: "a2disconf phpmyadmin" register: command_result changed_when: "'Disabling' in command_result.stderr" when: pma_default_config.stat.exists - name: "phpmyadmin suffix dirname '{{ packweb_phpmyadmin_suffix_file | dirname }}' exists" - file: + ansible.builtin.file: dest: "{{ packweb_phpmyadmin_suffix_file | dirname }}" mode: "0700" owner: root @@ -48,7 +49,7 @@ state: directory - name: set phpmyadmin suffix if provided - copy: + ansible.builtin.copy: dest: "{{ packweb_phpmyadmin_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ packweb_phpmyadmin_suffix }}\u000A" @@ -56,26 +57,28 @@ when: packweb_phpmyadmin_suffix | length > 0 - name: generate random string for phpmyadmin suffix - shell: "apg -a 1 -M N -n 1 > {{ packweb_phpmyadmin_suffix_file }}" + ansible.builtin.shell: + cmd: "apg -a 1 -M N -n 1 > {{ packweb_phpmyadmin_suffix_file }}" args: creates: "{{ packweb_phpmyadmin_suffix_file }}" - name: read phpmyadmin suffix - command: "tail -n 1 {{ packweb_phpmyadmin_suffix_file }}" + ansible.builtin.command: + cmd: "tail -n 1 {{ packweb_phpmyadmin_suffix_file }}" changed_when: False check_mode: no register: new_packweb_phpmyadmin_suffix - name: overwrite packweb_phpmyadmin_suffix - set_fact: + ansible.builtin.set_fact: packweb_phpmyadmin_suffix: "{{ new_packweb_phpmyadmin_suffix.stdout }}" -- debug: +- ansible.builtin.debug: var: packweb_phpmyadmin_suffix verbosity: 1 - name: enable phpMyAdmin config - blockinfile: + ansible.builtin.blockinfile: dest: /etc/apache2/sites-available/000-evolinux-default.conf marker: "# {mark} phpMyAdmin section" block: | @@ -88,13 +91,13 @@ - name: enable phpmyadmin link in default site index - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '' replace: '
  • Accès PhpMyAdmin
    • ' - name: replace phpmyadmin suffix in default site index - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ packweb_phpmyadmin_suffix }}" diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml index 6dc319ff..32637df7 100644 --- a/percona/tasks/main.yml +++ b/percona/tasks/main.yml @@ -1,22 +1,22 @@ --- -- set_fact: +- ansible.builtin.set_fact: percona__apt_config_package_file: "percona-release_latest.{{ ansible_distribution_release }}_all.deb" - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring - name: Percona embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "8507EFA5" keyring: /etc/apt/trusted.gpg state: absent when: _trusted_gpg_keyring.stat.exists - name: Add Percona GPG key - copy: + ansible.builtin.copy: src: percona.asc dest: "{{ apt_keyring_dir }}/percona.asc" force: yes @@ -25,8 +25,8 @@ group: root - name: Check if percona-release is installed - shell: "set -o pipefail && dpkg -l percona-release 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l percona-release 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -34,7 +34,7 @@ register: percona__apt_config_package_installed - name: Percona APT config package is available - copy: + ansible.builtin.copy: src: "{{ percona__apt_config_package_file }}" dest: "/root/{{ percona__apt_config_package_file }}" when: not (percona__apt_config_package_installed | bool) @@ -43,23 +43,23 @@ # name: evolix/remount-usr - name: Percona APT config package is installed from deb file - apt: + ansible.builtin.apt: deb: "/root/{{ percona__apt_config_package_file }}" state: present register: percona__apt_config_deb when: not (percona__apt_config_package_installed | bool) - name: Percona APT config package is installed from repository - apt: + ansible.builtin.apt: name: percona-release state: latest register: percona__apt_config_deb when: percona__apt_config_package_installed | bool - name: APT cache is up-to-date - apt: + ansible.builtin.apt: update_cache: yes when: percona__apt_config_deb is changed -- include: xtrabackup.yml +- ansible.builtin.include: xtrabackup.yml when: percona__install_xtrabackup | bool diff --git a/percona/tasks/xtrabackup.yml b/percona/tasks/xtrabackup.yml index 7d4e29d1..6a68fbff 100644 --- a/percona/tasks/xtrabackup.yml +++ b/percona/tasks/xtrabackup.yml @@ -1,16 +1,17 @@ --- - name: Percona Tools is enabled - command: percona-release enable tools release + ansible.builtin.command: + cmd: percona-release enable tools release # changed_when: # register: percona__release_enable_tools - name: APT cache is up-to-date - apt: + ansible.builtin.apt: update_cache: yes # when: percona__release_enable_tools is changed - name: Percona XtraBackup package is installed - apt: + ansible.builtin.apt: name: "{{ percona__xtrabackup_package_name }}" state: present diff --git a/pgbouncer/tasks/main.yml b/pgbouncer/tasks/main.yml index 67639044..fefef4e1 100644 --- a/pgbouncer/tasks/main.yml +++ b/pgbouncer/tasks/main.yml @@ -1,17 +1,17 @@ --- - name: PgBouncer is installed - apt: + ansible.builtin.apt: name: pgbouncer state: present - name: Limit for PgBouncer is set - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/pgbouncer line: ulimit -n 65536 - name: Add config file for PgBouncer - template: + ansible.builtin.template: src: pgbouncer.ini.j2 dest: /etc/pgbouncer/pgbouncer.ini - name: Populate userlist.txt - template: + ansible.builtin.template: src: userlist.txt.j2 dest: /etc/pgbouncer/userlist.txt diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 206eab3a..b333fe9b 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -1,36 +1,36 @@ --- - name: restart php5-fpm - service: + ansible.builtin.service: name: php5-fpm state: restarted - name: restart php5.6-fpm - service: + ansible.builtin.service: name: php5.6-fpm state: restarted - name: restart php7.0-fpm - service: + ansible.builtin.service: name: php7.0-fpm state: restarted - name: restart php7.3-fpm - service: + ansible.builtin.service: name: php7.3-fpm state: restarted - name: restart php7.4-fpm - service: + ansible.builtin.service: name: php7.4-fpm state: restarted - name: restart php8.1-fpm - service: + ansible.builtin.service: name: php8.1-fpm state: restarted - name: restart php8.2-fpm - service: + ansible.builtin.service: name: php8.2-fpm state: restarted diff --git a/php/tasks/config_apache.yml b/php/tasks/config_apache.yml index 795678fd..4ddc8448 100644 --- a/php/tasks/config_apache.yml +++ b/php/tasks/config_apache.yml @@ -1,7 +1,7 @@ --- - name: Set default values for PHP - ini_file: + community.general.ini_file: dest: "{{ php_apache_defaults_ini_file }}" section: PHP option: "{{ item.option }}" @@ -19,7 +19,7 @@ - { option: "opcache.max_accelerated_files", value: "8000" } - name: Disable PHP functions - ini_file: + community.general.ini_file: dest: "{{ php_apache_defaults_ini_file }}" section: PHP option: disable_functions @@ -27,7 +27,7 @@ mode: "0644" - name: Custom php.ini - copy: + ansible.builtin.copy: dest: "{{ php_apache_custom_ini_file }}" content: | ; Put customized values here. @@ -36,7 +36,7 @@ force: no - name: "Set custom values for PHP to enable Symfony" - ini_file: + community.general.ini_file: dest: "{{ php_apache_custom_ini_file }}" section: PHP option: "{{ item.option }}" diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index d327690a..506a1077 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -1,6 +1,6 @@ --- - name: "Set default php.ini values for CLI" - ini_file: + community.general.ini_file: dest: "{{ php_cli_defaults_ini_file }}" section: PHP option: "{{ item.option }}" @@ -13,7 +13,7 @@ - { option: "disable_functions", value: "" } - name: Custom php.ini for CLI - copy: + ansible.builtin.copy: dest: "{{ php_cli_custom_ini_file }}" content: | ; Put customized values here. @@ -22,12 +22,12 @@ # This task is not merged with the above copy # because "force: no" prevents any fix after the fact - name: "Permissions for custom php.ini for CLI" - file: + ansible.builtin.file: dest: "{{ php_cli_custom_ini_file }}" mode: "0644" - name: "Set custom values for PHP to enable Symfony" - ini_file: + community.general.ini_file: dest: "{{ php_cli_custom_ini_file }}" section: PHP option: "{{ item.option }}" diff --git a/php/tasks/config_fpm.yml b/php/tasks/config_fpm.yml index ad543f19..9fc1cc33 100644 --- a/php/tasks/config_fpm.yml +++ b/php/tasks/config_fpm.yml @@ -1,7 +1,7 @@ --- - name: Set default php.ini values for FPM - ini_file: + community.general.ini_file: dest: "{{ php_fpm_defaults_ini_file }}" section: PHP option: "{{ item.option }}" @@ -20,7 +20,7 @@ notify: "restart {{ php_fpm_service_name }}" - name: Disable PHP functions for FPM - ini_file: + community.general.ini_file: dest: "{{ php_fpm_defaults_ini_file }}" section: PHP option: disable_functions @@ -28,7 +28,7 @@ notify: "restart {{ php_fpm_service_name }}" - name: Custom php.ini for FPM - copy: + ansible.builtin.copy: dest: "{{ php_fpm_custom_ini_file }}" content: | ; Put customized values here. @@ -36,7 +36,7 @@ notify: "restart {{ php_fpm_service_name }}" - name: Set default PHP FPM values - ini_file: + community.general.ini_file: dest: "{{ php_fpm_default_pool_file }}" section: www option: "{{ item.option }}" @@ -60,7 +60,7 @@ when: ansible_distribution_major_version is version('9', '>=') - name: Custom PHP FPM values - copy: + ansible.builtin.copy: dest: "{{ php_fpm_default_pool_custom_file }}" content: | ; Put customized values here. @@ -70,7 +70,7 @@ notify: "restart {{ php_fpm_service_name }}" - name: "Set custom values for PHP to enable Symfony" - ini_file: + community.general.ini_file: dest: "{{ php_cli_custom_ini_file }}" section: PHP option: "{{ item.option }}" @@ -82,7 +82,7 @@ when: php_symfony_requirements | bool - name: Delete debian default pool - file: + ansible.builtin.file: path: "{{ php_fpm_debian_default_pool_file | mandatory }}" state: absent notify: "restart {{ php_fpm_service_name }}" diff --git a/php/tasks/main.yml b/php/tasks/main.yml index 180712b2..f9144832 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -1,23 +1,23 @@ --- -- assert: +- ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') - ansible_distribution_major_version is version('12', '<=') msg: This is only compatible with Debian 8 → 12 -- include_tasks: main_jessie.yml +- ansible.builtin.include_tasks: main_jessie.yml when: ansible_distribution_release == "jessie" -- include_tasks: main_stretch.yml +- ansible.builtin.include_tasks: main_stretch.yml when: ansible_distribution_release == "stretch" -- include_tasks: main_buster.yml +- ansible.builtin.include_tasks: main_buster.yml when: ansible_distribution_release == "buster" -- include_tasks: main_bullseye.yml +- ansible.builtin.include_tasks: main_bullseye.yml when: ansible_distribution_release == "bullseye" -- include_tasks: main_bookworm.yml +- ansible.builtin.include_tasks: main_bookworm.yml when: ansible_distribution_release == "bookworm" diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 6ad64399..d4dd381f 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -1,21 +1,21 @@ --- - name: "Set php version to 8.2 (Debian 12)" - set_fact: + ansible.builtin.set_fact: php_version: "8.2" when: - php_sury_enable == false check_mode: no - name: "Set php config directories (Debian 12)" - set_fact: + ansible.builtin.set_fact: php_cli_conf_dir: "/etc/php/{{ php_version }}/cli/conf.d" php_apache_conf_dir: "/etc/php/{{ php_version }}/apache2/conf.d" php_fpm_conf_dir: "/etc/php/{{ php_version }}/fpm/conf.d" php_fpm_pool_dir: "/etc/php/{{ php_version }}/fpm/pool.d" - name: "Set php config files (Debian 12)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: "{{ php_cli_conf_dir }}/z-evolinux-defaults.ini" php_cli_custom_ini_file: "{{ php_cli_conf_dir }}/zzz-evolinux-custom.ini" php_apache_defaults_ini_file: "{{ php_apache_conf_dir }}/z-evolinux-defaults.ini" @@ -31,7 +31,7 @@ # Packages - name: "Set package list (Debian 12)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php-cli - php-gd @@ -49,16 +49,16 @@ - composer - libphp-phpmailer -- include: sury_pre.yml +- ansible.builtin.include: sury_pre.yml when: php_sury_enable - name: "Install PHP packages (Debian 12)" - apt: + ansible.builtin.apt: name: '{{ php_stretch_packages }}' state: present - name: "Install mod_php packages (Debian 12)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php - php @@ -66,7 +66,7 @@ when: php_apache_enable - name: "Install PHP FPM packages (Debian 12)" - apt: + ansible.builtin.apt: name: - php-fpm - php @@ -76,36 +76,36 @@ # Configuration - name: "Enforce permissions on PHP directory (Debian 12)" - file: + ansible.builtin.file: dest: "{{ item }}" mode: "0755" with_items: - /etc/php - /etc/php/{{ php_version }} -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 12)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable - name: "Enforce permissions on PHP fpm directory (Debian 12)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable - name: "Enforce permissions on PHP apache2 directory (Debian 12)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable -- include: sury_post.yml +- ansible.builtin.include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 4cb185b7..b12740a7 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -1,14 +1,14 @@ --- - name: "Set php version to 7.4 if Sury repo is not enabled" - set_fact: + ansible.builtin.set_fact: php_version: "7.4" when: - php_sury_enable == False check_mode: no - name: "Set variables (Debian 11)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: /etc/php/{{ php_version }}/cli/conf.d/z-evolinux-defaults.ini php_cli_custom_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini php_apache_defaults_ini_file: /etc/php/{{ php_version }}/apache2/conf.d/z-evolinux-defaults.ini @@ -24,7 +24,7 @@ # Packages - name: "Set package list (Debian 11)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php-cli - php-gd @@ -41,16 +41,16 @@ - composer - libphp-phpmailer -- include: sury_pre.yml +- ansible.builtin.include: sury_pre.yml when: php_sury_enable - name: "Install PHP packages (Debian 11)" - apt: + ansible.builtin.apt: name: '{{ php_stretch_packages }}' state: present - name: "Install mod_php packages (Debian 11)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php - php @@ -58,7 +58,7 @@ when: php_apache_enable - name: "Install PHP FPM packages (Debian 11)" - apt: + ansible.builtin.apt: name: - php{{ php_version }}-fpm - php{{ php_version }} @@ -68,33 +68,33 @@ # Configuration - name: "Enforce permissions on PHP directory (Debian 11)" - file: + ansible.builtin.file: dest: "{{ item }}" mode: "0755" with_items: - /etc/php - /etc/php/{{ php_version }} -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 11)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable - name: "Enforce permissions on PHP fpm directory (Debian 11)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable - name: "Enforce permissions on PHP apache2 directory (Debian 11)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 58fda84e..588d21d5 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -1,17 +1,17 @@ --- -- debug: +- ansible.builtin.debug: var: php_sury_enable - name: "Set php version to 7.3 if Sury repo is not enabled" - set_fact: + ansible.builtin.set_fact: php_version: "7.3" check_mode: no when: - not (php_sury_enable | bool) - name: "Set variables (Debian 10)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zvolinux-defaults.ini php_cli_custom_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini php_apache_defaults_ini_file: /etc/php/{{ php_version }}/apache2/conf.d/z-evolinux-defaults.ini @@ -27,7 +27,7 @@ # Packages - name: "Set package list (Debian 10)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php-cli - php-gd @@ -45,16 +45,16 @@ - composer - libphp-phpmailer -- include: sury_pre.yml +- ansible.builtin.include: sury_pre.yml when: php_sury_enable | bool - name: "Install PHP packages (Debian 10)" - apt: + ansible.builtin.apt: name: '{{ php_stretch_packages }}' state: present - name: "Install mod_php packages (Debian 10)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php - php @@ -62,7 +62,7 @@ when: php_apache_enable | bool - name: "Install PHP FPM packages (Debian 10)" - apt: + ansible.builtin.apt: name: - php{{ php_version }}-fpm - php{{ php_version }} @@ -72,33 +72,33 @@ # Configuration - name: "Enforce permissions on PHP directory (Debian 10)" - file: + ansible.builtin.file: dest: "{{ item }}" mode: "0755" loop: - /etc/php - /etc/php/{{ php_version }} -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 10)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable | bool - name: "Enforce permissions on PHP fpm directory (Debian 10)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable | bool -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable | bool - name: "Enforce permissions on PHP apache2 directory (Debian 10)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index 75105166..fc517533 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -1,7 +1,7 @@ --- - name: "Set variables (Debian 8)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini php_cli_custom_ini_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini php_apache_defaults_ini_file: /etc/php5/apache2/conf.d/z-evolinux-defaults.ini @@ -17,7 +17,7 @@ # Packages - name: "Install PHP packages (Debian 8)" - apt: + ansible.builtin.apt: name: - php5-cli - php5-gd @@ -35,7 +35,7 @@ state: present - name: "Install mod_php packages (Debian 8)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php5 - php5 @@ -43,7 +43,7 @@ when: php_apache_enable | bool - name: "Install PHP FPM packages (Debian 8)" - apt: + ansible.builtin.apt: name: - php5-fpm - php5 @@ -53,31 +53,31 @@ # Configuration - name: Enforce permissions on PHP directory (Debian 8) - file: + ansible.builtin.file: dest: /etc/php5 mode: "0755" -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: Enforce permissions on PHP cli directory (Debian 8) - file: + ansible.builtin.file: dest: /etc/php5/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable | bool - name: Enforce permissions on PHP fpm directory (Debian 8) - file: + ansible.builtin.file: dest: /etc/php5/fpm mode: "0755" when: php_fpm_enable | bool -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable | bool - name: Enforce permissions on PHP apache2 directory (Debian 8) - file: + ansible.builtin.file: dest: /etc/php5/apache2 mode: "0755" when: php_apache_enable | bool diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 698621ac..25f264b7 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -1,7 +1,7 @@ --- - name: "Set variables (Debian 9)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini php_cli_custom_ini_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini php_apache_defaults_ini_file: /etc/php/7.0/apache2/conf.d/z-evolinux-defaults.ini @@ -17,7 +17,7 @@ # Packages - name: "Set package list (Debian 9)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php-cli - php-gd @@ -35,16 +35,16 @@ - composer - libphp-phpmailer -- include: sury_pre.yml +- ansible.builtin.include: sury_pre.yml when: php_sury_enable | bool - name: "Install PHP packages (Debian 9)" - apt: + ansible.builtin.apt: name: '{{ php_stretch_packages }}' state: present - name: "Install mod_php packages (Debian 9)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php - php @@ -52,7 +52,7 @@ when: php_apache_enable | bool - name: "Install PHP FPM packages (Debian 9)" - apt: + ansible.builtin.apt: name: - php-fpm - php @@ -62,37 +62,37 @@ # Configuration - name: "Enforce permissions on PHP directory (Debian 9)" - file: + ansible.builtin.file: dest: "{{ item }}" mode: "0755" loop: - /etc/php - /etc/php/7.0 -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 9)" - file: + ansible.builtin.file: dest: /etc/php/7.0/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable | bool - name: "Enforce permissions on PHP fpm directory (Debian 9)" - file: + ansible.builtin.file: dest: /etc/php/7.0/fpm mode: "0755" when: php_fpm_enable | bool -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable | bool - name: "Enforce permissions on PHP apache2 directory (Debian 9)" - file: + ansible.builtin.file: dest: /etc/php/7.0/apache2 mode: "0755" when: php_apache_enable | bool -- include: sury_post.yml +- ansible.builtin.include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 4e706889..ef4d3c7e 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -1,7 +1,7 @@ --- - name: Symlink Evolix CLI config files from 7.4 to 7.0 - file: + ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" force: yes @@ -11,12 +11,12 @@ - { src: "{{ php_cli_custom_ini_file }}", dest: "/etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini" } - name: Enforce permissions on PHP 7.4/cli directory - file: + ansible.builtin.file: dest: /etc/php/7.4/cli mode: "0755" - name: Symlink Evolix Apache config files from 7.4 to 7.0 - file: + ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" force: yes @@ -27,13 +27,13 @@ when: php_apache_enable | bool - name: Enforce permissions on PHP 7.4/cli directory - file: + ansible.builtin.file: dest: /etc/php/7.4/apache2 mode: "0755" when: php_apache_enable | bool - name: Symlink Evolix FPM config files from 7.4 to 7.0 - file: + ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" force: yes @@ -46,7 +46,7 @@ when: php_fpm_enable | bool - name: Enforce permissions on PHP 7.4/cli directory - file: + ansible.builtin.file: dest: /etc/php/7.4/fpm mode: "0755" when: php_fpm_enable | bool diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 7f5b6bf4..1f04b661 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -1,13 +1,13 @@ --- - name: Setup deb.sury.org repository - Install apt-transport-https - apt: + ansible.builtin.apt: name: apt-transport-https state: present when: ansible_distribution_major_version is version('10', '<') - name: copy pub.evolix.org GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" mode: "0644" @@ -15,7 +15,7 @@ group: root - name: Setup pub.evolix.org repository - Add source list - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php81 main" filename: evolix-php state: present @@ -23,14 +23,14 @@ - ansible_distribution_release == "bullseye" - name: Setup deb.sury.org repository - Add preferences file - copy: + ansible.builtin.copy: src: sury.preferences dest: /etc/apt/preferences.d/z-sury when: - ansible_distribution_release != "bullseye" - name: Setup deb.sury.org repository - Add GPG key - copy: + ansible.builtin.copy: src: sury.gpg dest: "{{ apt_keyring_dir }}/sury.gpg" mode: "0644" @@ -38,7 +38,7 @@ group: root - name: Add Sury repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main" filename: sury state: present @@ -54,12 +54,12 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: sury_sources is changed - name: "Override package list for Sury (Debian 9 or later)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php{{ php_version }}-cli - php{{ php_version }}-gd diff --git a/postfix/handlers/main.yml b/postfix/handlers/main.yml index 6c2e879b..d8cef9f7 100644 --- a/postfix/handlers/main.yml +++ b/postfix/handlers/main.yml @@ -1,13 +1,14 @@ --- - name: restart postfix - service: + ansible.builtin.service: name: postfix state: restarted - name: reload postfix - service: + ansible.builtin.service: name: postfix state: reloaded - name: postmap transport - command: postmap /etc/postfix/transport + ansible.builtin.command: + cmd: postmap /etc/postfix/transport diff --git a/postfix/tasks/common.yml b/postfix/tasks/common.yml index bcd5ed79..29e6dd07 100644 --- a/postfix/tasks/common.yml +++ b/postfix/tasks/common.yml @@ -1,7 +1,8 @@ --- - name: check if main.cf is default - shell: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -' + ansible.builtin.shell: + cmd: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -' changed_when: False check_mode: no register: default_main_cf @@ -9,7 +10,7 @@ - postfix - name: add lines in /etc/.gitignore - lineinfile: + ansible.builtin.lineinfile: dest: /etc/.gitignore line: '{{ item }}' state: present diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index d8caf2b2..4ef2858a 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -1,12 +1,12 @@ --- -- include: common.yml +- ansible.builtin.include: common.yml -- include: minimal.yml +- ansible.builtin.include: minimal.yml when: not (postfix_packmail | bool) -- include: packmail.yml +- ansible.builtin.include: packmail.yml when: postfix_packmail | bool -- include: slow_transport.yml +- ansible.builtin.include: slow_transport.yml when: postfix_slow_transport_include | bool diff --git a/postfix/tasks/minimal.yml b/postfix/tasks/minimal.yml index 970b9dcb..f8ea1b0b 100644 --- a/postfix/tasks/minimal.yml +++ b/postfix/tasks/minimal.yml @@ -1,13 +1,13 @@ --- - name: ensure packages are installed - apt: + ansible.builtin.apt: name: postfix state: present tags: - postfix - name: create minimal main.cf - template: + ansible.builtin.template: src: evolinux_main.cf.j2 dest: /etc/postfix/main.cf owner: root diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 0407a72b..170dbd35 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -1,6 +1,6 @@ --- - name: ensure packages are installed - apt: + ansible.builtin.apt: name: - postfix - postfix-ldap @@ -11,7 +11,7 @@ - postfix - name: make /var/lib/mailgraph accessible by www-data - file: + ansible.builtin.file: path: "/var/lib/mailgraph" state: directory owner: www-data @@ -19,13 +19,13 @@ mode: '0755' - name: make sure a service Mailgraph is running - systemd: + ansible.builtin.systemd: name: mailgraph.service state: started enabled: true - name: create packmail main.cf - template: + ansible.builtin.template: src: packmail_main.cf.j2 dest: /etc/postfix/main.cf owner: root @@ -38,7 +38,7 @@ - postfix - name: deploy packmail master.cf - template: + ansible.builtin.template: src: packmail_master.cf.j2 dest: /etc/postfix/master.cf mode: "0644" @@ -47,7 +47,7 @@ - postfix - name: copy default filter files - copy: + ansible.builtin.copy: src: filter dest: "/etc/postfix/{{ item }}" force: no @@ -68,7 +68,8 @@ - postfix - name: postmap filter files - command: "postmap /etc/postfix/{{ item }}" + ansible.builtin.command: + cmd: "postmap /etc/postfix/{{ item }}" loop: - virtual - client.access @@ -86,7 +87,7 @@ - postfix - name: deploy ldap postfix config - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "/etc/postfix/{{ item }}" mode: "0644" @@ -98,13 +99,13 @@ tags: - postfix -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - postfix - name: copy spam.sh script - copy: + ansible.builtin.copy: src: spam.sh dest: /usr/share/scripts/spam.sh mode: "0700" @@ -112,8 +113,8 @@ - postfix - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -121,7 +122,7 @@ register: is_cron_installed - name: enable spam.sh cron - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cron.d/spam line: "42 * * * * root /usr/share/scripts/spam.sh" create: yes @@ -132,7 +133,8 @@ - postfix - name: update antispam list - command: /usr/share/scripts/spam.sh + ansible.builtin.command: + cmd: /usr/share/scripts/spam.sh changed_when: False tags: - postfix diff --git a/postfix/tasks/slow_transport.yml b/postfix/tasks/slow_transport.yml index 2f1867ae..6e42ef1d 100644 --- a/postfix/tasks/slow_transport.yml +++ b/postfix/tasks/slow_transport.yml @@ -1,6 +1,6 @@ --- - name: slow transport is defined in master.cf - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/master.cf regexp: "^slow " line: "slow unix - - n - - smtp" @@ -9,7 +9,7 @@ - postfix - name: list of providers for slow transport - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/transport line: "{{ item }}" create: yes diff --git a/postgresql/handlers/main.yml b/postgresql/handlers/main.yml index 15a773dd..0cb017d4 100644 --- a/postgresql/handlers/main.yml +++ b/postgresql/handlers/main.yml @@ -1,26 +1,28 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart postgresql - systemd: + ansible.builtin.systemd: name: postgresql state: restarted daemon_reload: yes - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes - name: Restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart - name: reconfigure locales - command: dpkg-reconfigure -f noninteractive locales + ansible.builtin.command: + cmd: dpkg-reconfigure -f noninteractive locales diff --git a/postgresql/tasks/config.yml b/postgresql/tasks/config.yml index 966f0930..87091b8f 100644 --- a/postgresql/tasks/config.yml +++ b/postgresql/tasks/config.yml @@ -1,12 +1,12 @@ --- - name: Ensure /etc/systemd/system/postgresql.service.d exists - file: + ansible.builtin.file: path: /etc/systemd/system/postgresql@.service.d state: directory recurse: true - name: Override PostgreSQL systemd unit - copy: + ansible.builtin.copy: src: postgresql.service.override.conf dest: /etc/systemd/system/postgresql@.service.d/override.conf force: yes @@ -16,13 +16,13 @@ - restart postgresql - name: Allow conf.d/*.conf files to be included in PostgreSQL configuration - lineinfile: + ansible.builtin.lineinfile: name: "/etc/postgresql/{{ postgresql_version }}/main/postgresql.conf" line: include_dir = 'conf.d' notify: restart postgresql - name: Create conf.d directory - file: + ansible.builtin.file: name: "/etc/postgresql/{{ postgresql_version }}/main/conf.d/" state: directory owner: postgres @@ -30,7 +30,7 @@ mode: "0755" - name: Copy PostgreSQL config file - template: + ansible.builtin.template: src: postgresql.conf.j2 dest: "/etc/postgresql/{{ postgresql_version }}/main/conf.d/zz-evolinux.conf" owner: postgres @@ -38,4 +38,4 @@ mode: "0644" notify: restart postgresql -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/postgresql/tasks/locales.yml b/postgresql/tasks/locales.yml index 8cf70989..30d21001 100644 --- a/postgresql/tasks/locales.yml +++ b/postgresql/tasks/locales.yml @@ -1,9 +1,9 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: select locales to be generated - locale_gen: + community.general.locale_gen: name: "{{ item }}" state: present loop: @@ -12,7 +12,7 @@ notify: reconfigure locales - name: set default locale - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/locale" regexp: "^LANG=" line: "LANG={{ locales_default }}" diff --git a/postgresql/tasks/logrotate.yml b/postgresql/tasks/logrotate.yml index f67f407a..55adc5bd 100644 --- a/postgresql/tasks/logrotate.yml +++ b/postgresql/tasks/logrotate.yml @@ -1,6 +1,6 @@ --- - name: logrotate configuration - copy: + ansible.builtin.copy: src: logrotate_postgresql dest: /etc/logrotate.d/postgresql-common force: no diff --git a/postgresql/tasks/munin.yml b/postgresql/tasks/munin.yml index feb0b678..f826a639 100644 --- a/postgresql/tasks/munin.yml +++ b/postgresql/tasks/munin.yml @@ -1,16 +1,16 @@ --- - name: Are Munin plugins present in /etc ? - stat: + ansible.builtin.stat: path: /etc/munin/plugins register: etc_munin_plugins - name: Are Munin plugins present in /usr/share ? - stat: + ansible.builtin.stat: path: /usr/share/munin/plugins register: usr_share_munin_plugins - name: Add Munin plugins for PostgreSQL - file: + ansible.builtin.file: state: link src: '/usr/share/munin/plugins/{{ item }}' dest: '/etc/munin/plugins/{{ item }}' @@ -24,7 +24,7 @@ when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists - name: Add Munin plugins for PostgreSQL (for specific databases) - file: + ansible.builtin.file: state: link src: '/usr/share/munin/plugins/{{ item[0] }}' dest: '/etc/munin/plugins/{{ item[0] }}{{ item[1] }}' diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml index 833ab1ea..a4d1ef49 100644 --- a/postgresql/tasks/nrpe.yml +++ b/postgresql/tasks/nrpe.yml @@ -1,28 +1,29 @@ --- - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present - name: Generate random password for nrpe user - command: apg -n1 -m 12 -M SCNL + ansible.builtin.command: + cmd: apg -n1 -m 12 -M SCNL register: postgresql_nrpe_password changed_when: False - name: python-psycopg2 is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: python-psycopg2 state: present when: ansible_python_version is version('3', '<') - name: python3-psycopg2 is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: python3-psycopg2 state: present when: ansible_python_version is version('3', '>=') - name: Is nrpe present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg register: nrpe_evolix_config @@ -30,7 +31,7 @@ - name: Create nrpe user become: yes become_user: postgres - postgresql_user: + community.postgresql.postgresql_user: name: nrpe password: '{{ postgresql_nrpe_password.stdout }}' encrypted: yes @@ -39,7 +40,7 @@ when: nrpe_evolix_config.stat.exists - name: Add NRPE check - lineinfile: + ansible.builtin.lineinfile: name: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_pgsql\]=' line: 'command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"' diff --git a/postgresql/tasks/packages_bullseye.yml b/postgresql/tasks/packages_bullseye.yml index bfbac181..4f42119b 100644 --- a/postgresql/tasks/packages_bullseye.yml +++ b/postgresql/tasks/packages_bullseye.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 11)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '13' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.include: pgdg-repo.yml when: postgresql_version != '13' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - pgtop diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 3e8851fb..f35182ba 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 10)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '11' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.include: pgdg-repo.yml when: postgresql_version != '11' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - pgtop diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index 70b5e181..632ddacb 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 8)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '9.4' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.include: pgdg-repo.yml when: postgresql_version != '9.4' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - ptop diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index 97a71952..494fce3f 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 9)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '9.6' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.include: pgdg-repo.yml when: postgresql_version != '9.6' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - ptop diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 9db20921..e9f25307 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -1,15 +1,15 @@ --- - name: Open firewall for PGDG repository - replace: + ansible.builtin.replace: name: /etc/default/minifirewall regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org|0\\.0\\.0\\.0).)*)'$" replace: "\\1 apt.postgresql.org'" notify: Restart minifirewall -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers - name: Add PGDG GPG key - copy: + ansible.builtin.copy: src: postgresql.asc dest: "{{ apt_keyring_dir }}/postgresql.asc" force: yes @@ -18,7 +18,7 @@ group: root - name: Add PGDG repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" filename: postgresql update_cache: yes @@ -38,7 +38,7 @@ when: elastic_sources is changed - name: Add APT preference file - template: + ansible.builtin.template: src: postgresql.pref.j2 dest: /etc/apt/preferences.d/postgresql.pref mode: "0644" diff --git a/postgresql/tasks/postgis.yml b/postgresql/tasks/postgis.yml index dbd511e9..ea50fc61 100644 --- a/postgresql/tasks/postgis.yml +++ b/postgresql/tasks/postgis.yml @@ -1,6 +1,6 @@ --- - name: Install PostGIS extention - apt: + ansible.builtin.apt: name: - postgis - "postgresql-{{ postgresql_version }}-postgis-2.5" diff --git a/postgresql/tests/test.yml b/postgresql/tests/test.yml index 88714dd1..5472e972 100644 --- a/postgresql/tests/test.yml +++ b/postgresql/tests/test.yml @@ -3,13 +3,13 @@ pre_tasks: - name: Install locales - apt: + ansible.builtin.apt: name: locales state: present changed_when: False - name: Setting default locales - lineinfile: + ansible.builtin.lineinfile: dest: /etc/locale.gen line: "{{ item }}" create: yes @@ -22,7 +22,8 @@ register: test_locales - name: Reconfigure locales - command: /usr/sbin/locale-gen + ansible.builtin.command: + cmd: /usr/sbin/locale-gen changed_when: False when: test_locales is changed diff --git a/proftpd/handlers/main.yml b/proftpd/handlers/main.yml index 0914d289..2b320f4a 100644 --- a/proftpd/handlers/main.yml +++ b/proftpd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart proftpd - service: + ansible.builtin.service: name: proftpd state: restarted diff --git a/proftpd/tasks/account.yml b/proftpd/tasks/account.yml index cfe82156..4ad009e2 100644 --- a/proftpd/tasks/account.yml +++ b/proftpd/tasks/account.yml @@ -1,6 +1,7 @@ --- - name: Check if FTP account exist - command: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd + ansible.builtin.command: + cmd: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd failed_when: False check_mode: no changed_when: check_ftp_account.rc != 0 @@ -9,7 +10,8 @@ - proftpd - name: Generate FTP password - command: apg -n1 + ansible.builtin.command: + cmd: apg -n1 register: ftp_password check_mode: no when: check_ftp_account.rc != 0 @@ -17,14 +19,14 @@ - proftpd - name: Print generated password - debug: + ansible.builtin.debug: msg: "{{ ftp_password.stdout }}" when: check_ftp_account.rc != 0 tags: - proftpd - name: Hash generated FTP password - set_fact: + ansible.builtin.set_fact: proftpd_password: "{{ ftp_password.stdout | password_hash('sha512') }}" check_mode: no when: check_ftp_account.rc != 0 @@ -32,7 +34,8 @@ - proftpd - name: Get current FTP password - shell: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 + ansible.builtin.shell: + cmd: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 register: hashed_ftp_password check_mode: no when: check_ftp_account.rc == 0 @@ -41,7 +44,7 @@ - proftpd - name: Get current FTP password - set_fact: + ansible.builtin.set_fact: proftpd_password: "{{ hashed_ftp_password.stdout }}" check_mode: no when: check_ftp_account.rc == 0 @@ -50,7 +53,7 @@ - proftpd - name: Create FTP account - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/vpasswd state: present create: yes @@ -61,7 +64,7 @@ - proftpd - name: Allow FTP account - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/conf.d/z-evolinux.conf state: present line: " AllowUser {{ proftpd_name }}" diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml index b5cc5e85..99b036c9 100644 --- a/proftpd/tasks/accounts.yml +++ b/proftpd/tasks/accounts.yml @@ -1,11 +1,11 @@ --- -- include: accounts_password.yml +- ansible.builtin.include: accounts_password.yml when: item.password is undefined loop: "{{ proftpd_accounts }}" tags: - proftpd -- set_fact: +- ansible.builtin.set_fact: proftpd_accounts_final: "{{ proftpd_accounts_final + [ item ] }}" when: item.password is defined loop: "{{ proftpd_accounts }}" @@ -13,7 +13,7 @@ - proftpd - name: Create FTP account - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/vpasswd state: present create: yes @@ -26,7 +26,7 @@ - proftpd - name: Allow FTP account (FTP) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/conf.d/z-evolinux.conf state: present line: "\tAllowUser {{ item.name }}" @@ -38,7 +38,7 @@ - proftpd - name: Allow FTP account (FTPS) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/conf.d/ftps.conf state: present line: "\tAllowUser {{ item.name }}" @@ -50,7 +50,7 @@ - proftpd - name: Allow FTP account (SFTP) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/conf.d/sftp.conf state: present line: "\tAllowUser {{ item.name }}" @@ -62,7 +62,7 @@ - proftpd - name: Allow keys for SFTP account - template: + ansible.builtin.template: dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}" src: authorized_keys.j2 mode: 0644 diff --git a/proftpd/tasks/accounts_password.yml b/proftpd/tasks/accounts_password.yml index 3ae37c88..0b986f39 100644 --- a/proftpd/tasks/accounts_password.yml +++ b/proftpd/tasks/accounts_password.yml @@ -1,6 +1,7 @@ --- - name: Check if FTP account exist - command: grep "^{{ item.name }}:" /etc/proftpd/vpasswd + ansible.builtin.command: + cmd: grep "^{{ item.name }}:" /etc/proftpd/vpasswd failed_when: False check_mode: no changed_when: check_ftp_account.rc != 0 @@ -9,13 +10,14 @@ - block: - name: Get current FTP password - shell: grep "^{{ item.name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 + ansible.builtin.shell: + cmd: grep "^{{ item.name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 register: protftpd_cur_password check_mode: no changed_when: False - name: Set password for this account - set_fact: + ansible.builtin.set_fact: protftpd_password: "{{ protftpd_cur_password.stdout }}" when: check_ftp_account.rc == 0 @@ -23,20 +25,21 @@ - block: - name: Generate FTP password - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: proftpd_apg_password check_mode: no - name: Print generated password - debug: + ansible.builtin.debug: msg: "{{ proftpd_apg_password.stdout }}" - name: Hash generated password - set_fact: + ansible.builtin.set_fact: protftpd_password: "{{ proftpd_apg_password.stdout | password_hash('sha512') }}" when: check_ftp_account.rc != 0 - name: Update proftpd_accounts with password - set_fact: + ansible.builtin.set_fact: proftpd_accounts_final: "{{ proftpd_accounts_final + [ item | combine({ 'password': protftpd_password }) ] }}" diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 3afc69cb..ce292ad5 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: package is installed - apt: + ansible.builtin.apt: name: proftpd-basic state: present tags: @@ -8,7 +8,8 @@ - packages - name: ftpusers groupe exists - group: + + ansible.builtin.group: name: ftpusers state: present notify: restart proftpd @@ -16,7 +17,7 @@ - proftpd - name: FTP jail is installed - template: + ansible.builtin.template: src: evolinux.conf.j2 dest: /etc/proftpd/conf.d/z-evolinux.conf mode: "0644" @@ -27,7 +28,7 @@ - proftpd - name: FTPS jail is installed - template: + ansible.builtin.template: src: ftps.conf.j2 dest: /etc/proftpd/conf.d/ftps.conf mode: "0644" @@ -38,7 +39,7 @@ - proftpd - name: SFTP jail is installed - template: + ansible.builtin.template: src: sftp.conf.j2 dest: /etc/proftpd/conf.d/sftp.conf mode: "0644" @@ -49,7 +50,7 @@ - proftpd - name: SFTP key folder exists if needed - file: + ansible.builtin.file: path: /etc/proftpd/sftp.authorized_keys/ state: directory mode: "0755" @@ -63,7 +64,7 @@ - proftpd - name: mod_tls_memcache is disabled - replace: + ansible.builtin.replace: dest: /etc/proftpd/modules.conf regexp: '^LoadModule mod_tls_memcache.c' replace: '#LoadModule mod_tls_memcache.c' @@ -72,7 +73,7 @@ - proftpd - name: Put empty vpasswd file if missing - copy: + ansible.builtin.copy: src: vpasswd dest: /etc/proftpd/vpasswd force: no @@ -84,7 +85,7 @@ # So, readonly when opened with vim. # Then readable by group. - name: Enforce permissions on password file - file: + ansible.builtin.file: path: /etc/proftpd/vpasswd mode: "0440" owner: root @@ -93,5 +94,5 @@ tags: - proftpd -- include: accounts.yml +- ansible.builtin.include: accounts.yml when: proftpd_accounts | length > 0 diff --git a/rabbitmq/handlers/main.yml b/rabbitmq/handlers/main.yml index 9f73baa6..ecd03471 100644 --- a/rabbitmq/handlers/main.yml +++ b/rabbitmq/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart rabbitmq - service: + ansible.builtin.service: name: rabbitmq-server state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/rabbitmq/tasks/main.yml b/rabbitmq/tasks/main.yml index a3438adc..f485bc1f 100644 --- a/rabbitmq/tasks/main.yml +++ b/rabbitmq/tasks/main.yml @@ -1,10 +1,10 @@ - name: Install packages - apt: + ansible.builtin.apt: name: rabbitmq-server state: present - name: Create rabbitmq-env.conf - copy: + ansible.builtin.copy: src: evolinux-rabbitmq-env.conf dest: /etc/rabbitmq/rabbitmq-env.conf owner: rabbitmq @@ -13,7 +13,7 @@ force: no - name: Create rabbitmq.config - copy: + ansible.builtin.copy: src: evolinux-rabbitmq.config dest: /etc/rabbitmq/rabbitmq.config owner: rabbitmq @@ -22,34 +22,34 @@ force: no - name: Adjust ulimit - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/rabbitmq-server line: ulimit -n 2048 - name: is NRPE present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg check_mode: no register: nrpe_evolix_config tags: - nrpe -- include: nrpe.yml +- ansible.builtin.include: nrpe.yml when: nrpe_evolix_config.stat.exists - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin check_mode: no register: etc_munin_directory tags: - nrpe -- include: munin.yml +- ansible.builtin.include: munin.yml when: etc_munin_directory.stat.exists - name: entry for RabbitMQ in web page is present - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html insertbefore: '' line: '
  • RabbitMQ
    • ' diff --git a/rabbitmq/tasks/munin.yml b/rabbitmq/tasks/munin.yml index cb872391..63ad5a15 100644 --- a/rabbitmq/tasks/munin.yml +++ b/rabbitmq/tasks/munin.yml @@ -1,13 +1,13 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - rabbitmq - munin - name: Create local munin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" @@ -16,7 +16,7 @@ - munin - name: Create local plugins directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" @@ -25,7 +25,7 @@ - munin - name: Copy rabbitmq_connections munin plugin - copy: + ansible.builtin.copy: src: rabbitmq_connections dest: /usr/local/share/munin/plugins/rabbitmq_connections mode: "0755" @@ -35,7 +35,7 @@ - munin - name: Enable rabbitmq_connections munin plugin - file: + ansible.builtin.file: src: /usr/local/share/munin/plugins/rabbitmq_connections dest: "/etc/munin/plugins/rabbitmq_connections" state: link diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index b2f2a3a8..f491a68c 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -1,23 +1,23 @@ --- - name: python-requests is installed (check_rabbitmq dependency) - apt: + ansible.builtin.apt: name: python-requests state: present when: ansible_python_version is version('3', '<') - name: python3-requests is installed (check_rabbitmq dependency) - apt: + ansible.builtin.apt: name: python3-requests state: present when: ansible_python_version is version('3', '>=') -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr # https://raw.githubusercontent.com/CaptPhunkosis/check_rabbitmq/master/check_rabbitmq - name: check_rabbitmq is installed - copy: + ansible.builtin.copy: src: check_rabbitmq dest: /usr/local/lib/nagios/plugins/check_rabbitmq owner: root @@ -27,7 +27,7 @@ when: ansible_distribution_major_version is version('11', '<=') - name: check_rabbitmq (Python 3 version) is installed - copy: + ansible.builtin.copy: src: check_rabbitmq.python3 dest: /usr/local/lib/nagios/plugins/check_rabbitmq owner: root @@ -37,14 +37,14 @@ when: ansible_distribution_major_version is version('11', '>=') - name: check_rabbitmq is available for NRPE - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: 'command\[check_rab_connection_count\]' line: 'command[check_rab_connection_count]=sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}' notify: restart nagios-nrpe-server - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_rabbitmq' line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_rabbitmq' diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 8294cfdc..4362c5db 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: "Rbenv dependencies are installed" - apt: + ansible.builtin.apt: name: - build-essential - git @@ -19,7 +19,7 @@ - packages - name: "gemrc for {{ username }}" - copy: + ansible.builtin.copy: src: gemrc dest: "~{{ username }}/.gemrc" owner: '{{ username }}' @@ -28,7 +28,7 @@ - rbenv - name: "Rbenv repository is checked out for {{ username }}" - git: + ansible.builtin.git: repo: '{{ rbenv_repo }}' dest: '{{ rbenv_root }}' version: '{{ rbenv_version }}' @@ -40,7 +40,7 @@ - rbenv - name: "default gems are installed for {{ username }}" - lineinfile: + ansible.builtin.lineinfile: dest: '{{ rbenv_root }}/default-gems' line: "{{ item }}" owner: '{{ username }}' @@ -53,7 +53,7 @@ - rbenv - name: "plugins directory for {{ username }}" - file: + ansible.builtin.file: path: '{{ rbenv_root }}/plugins' state: directory become_user: "{{ username }}" @@ -62,7 +62,7 @@ - rbenv - name: "plugins are installed for {{ username }}" - git: + ansible.builtin.git: repo: '{{ item.repo }}' dest: '{{ rbenv_root }}/plugins/{{ item.name }}' version: '{{ item.version }}' @@ -75,7 +75,7 @@ - rbenv - name: "Rbenv is initialized in profile for {{ username }}" - blockinfile: + ansible.builtin.blockinfile: dest: '~{{ username }}/.profile' marker: "# {mark} ANSIBLE MANAGED RBENV INIT" block: | @@ -87,7 +87,8 @@ - rbenv - name: "is Ruby {{ rbenv_ruby_version }} available for {{ username }} ?" - shell: /bin/bash -lc "rbenv versions | grep {{ rbenv_ruby_version }}" + ansible.builtin.shell: + cmd: /bin/bash -lc "rbenv versions | grep {{ rbenv_ruby_version }}" failed_when: False changed_when: False check_mode: False @@ -98,7 +99,8 @@ - rbenv - name: "Ruby {{ rbenv_ruby_version }} is available for {{ username }} (be patient... could be long)" - shell: /bin/bash -lc "TMPDIR=~/tmp rbenv install {{ rbenv_ruby_version }}" + ansible.builtin.shell: + cmd: /bin/bash -lc "TMPDIR=~/tmp rbenv install {{ rbenv_ruby_version }}" when: ruby_installed.rc != 0 become_user: "{{ username }}" become: yes @@ -106,7 +108,8 @@ - rbenv - name: "is Ruby {{ rbenv_ruby_version }} selected for {{ username }} ?" - shell: /bin/bash -lc "rbenv version | cut -d ' ' -f 1 | grep -Fx '{{ rbenv_ruby_version }}'" + ansible.builtin.shell: + cmd: /bin/bash -lc "rbenv version | cut -d ' ' -f 1 | grep -Fx '{{ rbenv_ruby_version }}'" register: ruby_selected changed_when: False failed_when: False @@ -117,7 +120,8 @@ - rbenv - name: "select Ruby {{ rbenv_ruby_version }} for {{ username }}" - shell: /bin/bash -lc "rbenv global {{ rbenv_ruby_version }} && rbenv rehash" + ansible.builtin.shell: + cmd: /bin/bash -lc "rbenv global {{ rbenv_ruby_version }} && rbenv rehash" when: ruby_selected.rc != 0 become_user: "{{ username }}" become: yes diff --git a/redis/handlers/main.yml b/redis/handlers/main.yml index 6d870b39..73a7a09d 100644 --- a/redis/handlers/main.yml +++ b/redis/handlers/main.yml @@ -1,30 +1,30 @@ --- - name: restart redis - systemd: + ansible.builtin.systemd: name: "{{ redis_systemd_name }}" state: restarted - name: restart redis (noop) - meta: noop + ansible.builtin.meta: noop failed_when: False changed_when: False - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart log2mail - service: + ansible.builtin.service: name: log2mail state: restarted - name: restart sysfsutils - service: + ansible.builtin.service: name: sysfsutils state: restarted diff --git a/redis/tasks/default-log2mail.yml b/redis/tasks/default-log2mail.yml index 3c50cab7..55466e16 100644 --- a/redis/tasks/default-log2mail.yml +++ b/redis/tasks/default-log2mail.yml @@ -1,7 +1,7 @@ --- - name: log2mail config is present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/log2mail/config/redis.conf owner: log2mail group: adm @@ -19,7 +19,7 @@ - log2mail - name: log2mail user is in redis group - user: + ansible.builtin.user: name: log2mail groups: redis append: yes diff --git a/redis/tasks/default-munin.yml b/redis/tasks/default-munin.yml index 1c9ab759..44c45011 100644 --- a/redis/tasks/default-munin.yml +++ b/redis/tasks/default-munin.yml @@ -1,18 +1,18 @@ --- - name: Install munin check dependencies - apt: + ansible.builtin.apt: name: libswitch-perl state: present tags: - redis -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - redis - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" @@ -20,7 +20,7 @@ - redis - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" @@ -28,7 +28,7 @@ - redis - name: Copy redis munin plugin - copy: + ansible.builtin.copy: src: munin_redis dest: /usr/local/share/munin/plugins/redis_ mode: "0755" @@ -37,7 +37,7 @@ - redis - name: Enable redis munin plugin - file: + ansible.builtin.file: src: /usr/local/share/munin/plugins/redis_ dest: "/etc/munin/plugins/redis_{{ plugin_name }}" state: link @@ -56,14 +56,15 @@ - redis - name: Count redis condif blocks in munin-node configuration - command: grep -c "\[redis_" /etc/munin/plugin-conf.d/munin-node + ansible.builtin.command: + cmd: grep -c "\[redis_" /etc/munin/plugin-conf.d/munin-node register: munin_redis_blocs_in_config failed_when: False changed_when: False check_mode: no - name: Add redis password for munin (if no more than 1 config block) - ini_file: + community.general.ini_file: dest: /etc/munin/plugin-conf.d/munin-node section: 'redis_*' option: env.password @@ -77,7 +78,7 @@ - name: Warn if multiple instance in munin-plugins configuration - debug: + ansible.builtin.debug: msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed" when: - redis_password is not none diff --git a/redis/tasks/default-server.yml b/redis/tasks/default-server.yml index 10b4d382..89a664e6 100644 --- a/redis/tasks/default-server.yml +++ b/redis/tasks/default-server.yml @@ -1,7 +1,7 @@ --- - name: Redis is configured. - template: + ansible.builtin.template: src: redis.conf.j2 dest: "{{ redis_conf_dir }}/redis.conf" mode: "0640" @@ -12,7 +12,7 @@ - redis - name: Config directory permissions are set - file: + ansible.builtin.file: dest: "{{ redis_conf_dir }}" mode: "0750" owner: redis @@ -21,7 +21,7 @@ - redis - name: Redis is running and enabled on boot. - systemd: + ansible.builtin.systemd: name: "{{ redis_systemd_name }}" enabled: yes state: started diff --git a/redis/tasks/instance-log2mail.yml b/redis/tasks/instance-log2mail.yml index a20e1a0a..c57e5745 100644 --- a/redis/tasks/instance-log2mail.yml +++ b/redis/tasks/instance-log2mail.yml @@ -1,7 +1,7 @@ --- - name: log2mail config is present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/log2mail/config/redis.conf owner: log2mail group: adm diff --git a/redis/tasks/instance-munin.yml b/redis/tasks/instance-munin.yml index 72865e98..3d2274e7 100644 --- a/redis/tasks/instance-munin.yml +++ b/redis/tasks/instance-munin.yml @@ -1,18 +1,18 @@ --- - name: Install munin check dependencies - apt: + ansible.builtin.apt: name: libswitch-perl state: present tags: - redis -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - redis - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" @@ -20,7 +20,7 @@ - redis - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" @@ -28,7 +28,7 @@ - redis - name: Copy redis munin plugin - copy: + ansible.builtin.copy: src: munin_redis dest: /usr/local/share/munin/plugins/redis_ mode: "0755" @@ -37,7 +37,7 @@ - redis - name: Enable redis munin plugin - file: + ansible.builtin.file: src: /usr/local/share/munin/plugins/redis_ dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{ plugin_name }}" state: link @@ -56,7 +56,7 @@ - redis - name: Configure redis plugin for munin - template: + ansible.builtin.template: src: templates/munin-plugin-instances.conf.j2 dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}' mode: "0740" diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml index 3f70733e..42dc1876 100644 --- a/redis/tasks/instance-server.yml +++ b/redis/tasks/instance-server.yml @@ -1,14 +1,15 @@ --- - name: Verify Redis port - assert: + ansible.builtin.assert: that: - redis_port | int != 6379 msg: "If you want to use port 6379, use the default instance, not a named instance." when: not (redis_force_instance_port | bool) - name: "Instance '{{ redis_instance_name }}' group is present" - group: + + ansible.builtin.group: name: "redis-{{ redis_instance_name }}" state: present system: True @@ -16,7 +17,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' user is present" - user: + ansible.builtin.user: name: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" state: present @@ -26,7 +27,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' config directory is present" - file: + ansible.builtin.file: dest: "{{ redis_conf_dir }}" mode: "0750" owner: "redis-{{ redis_instance_name }}" @@ -37,7 +38,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' config hooks directories are present" - file: + ansible.builtin.file: dest: "{{ _dir }}" mode: "0750" owner: "redis-{{ redis_instance_name }}" @@ -58,7 +59,8 @@ - redis - name: "Instance '{{ redis_instance_name }}' hooks examples are present" - command: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}" + ansible.builtin.command: + cmd: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}" args: creates: "{{ redis_conf_dir }}/{{ _dir }}/00_example" loop: @@ -75,7 +77,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' socket/pid directories are present" - file: + ansible.builtin.file: dest: "{{ _dir }}" mode: "0755" owner: "redis-{{ redis_instance_name }}" @@ -91,7 +93,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' data/log directories are present" - file: + ansible.builtin.file: dest: "{{ _dir }}" mode: "0751" owner: "redis-{{ redis_instance_name }}" @@ -107,7 +109,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' log file are present" - file: + ansible.builtin.file: path: "{{ redis_log_dir }}/redis-server.log" mode: "660" owner: "redis-{{ redis_instance_name }}" @@ -118,7 +120,7 @@ - name: "Instance '{{ redis_instance_name }}' configuration file is present" - template: + ansible.builtin.template: src: redis.conf.j2 dest: "{{ redis_conf_dir }}/redis.conf" mode: "0640" @@ -129,7 +131,7 @@ - redis - name: Systemd template for redis instances is installed (Debian 8) - template: + ansible.builtin.template: src: 'redis-server@jessie.service.j2' dest: '/etc/systemd/system/redis-server@.service' mode: "0644" @@ -142,7 +144,7 @@ - redis - name: Systemd template for redis instances is installed (Debian 9) - template: + ansible.builtin.template: src: 'redis-server@stretch.service.j2' dest: '/etc/systemd/system/redis-server@.service' mode: "0644" @@ -155,7 +157,7 @@ - redis - name: Systemd template for redis instances is installed (Debian 10 or later) - template: + ansible.builtin.template: src: 'redis-server@buster.service.j2' dest: '/etc/systemd/system/redis-server@.service' mode: "0644" @@ -168,7 +170,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' systemd unit is enabled and started" - systemd: + ansible.builtin.systemd: name: "{{ redis_systemd_name }}" enabled: yes state: started @@ -177,7 +179,7 @@ - redis - name: Redis SysVinit script is stopped and disabled - service: + ansible.builtin.service: name: "redis-server" enabled: no state: stopped diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 24315b42..1077811b 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: redis_restart_handler_name: "{{ redis_restart_if_needed | bool | ternary('restart redis', 'restart redis (noop)') }}" - name: Linux kernel overcommit memory setting is enabled - sysctl: + ansible.posix.sysctl: name: "vm.overcommit_memory" value: "1" sysctl_file: "/etc/sysctl.d/evolinux-redis.conf" @@ -12,11 +12,11 @@ reload: yes - name: Customize Kernel Transparent Huge Page - include: thp.yml + ansible.builtin.include: thp.yml when: redis_sysctl_transparent_hugepage_enabled is not none - name: Redis is installed - apt: + ansible.builtin.apt: name: - redis-server - redis-tools @@ -26,7 +26,7 @@ - packages - name: Redis Sentinel is installed - apt: + ansible.builtin.apt: name: "redis-sentinel" state: present tags: @@ -35,21 +35,22 @@ when: redis_sentinel_install | bool - name: Get Redis version - shell: "redis-server -v | grep -Eo '(v=\\S+)' | cut -d'=' -f 2 | grep -E '^([0-9]|\\.)+$'" + ansible.builtin.shell: + cmd: "redis-server -v | grep -Eo '(v=\\S+)' | cut -d'=' -f 2 | grep -E '^([0-9]|\\.)+$'" changed_when: False check_mode: no register: _redis_installed_version tags: - redis -- set_fact: +- ansible.builtin.set_fact: redis_installed_version: "{{ _redis_installed_version.stdout }}" check_mode: no tags: - redis - name: set variables for default mode - set_fact: + ansible.builtin.set_fact: redis_conf_dir: "{{ redis_conf_dir_prefix }}" redis_socket_dir: "{{ redis_socket_dir_prefix }}" redis_pid_dir: "{{ redis_pid_dir_prefix }}" @@ -58,7 +59,7 @@ when: redis_instance_name is not defined - name: set variables for instance mode - set_fact: + ansible.builtin.set_fact: redis_systemd_name: "redis-server@{{ redis_instance_name }}" redis_conf_dir: "{{ redis_conf_dir_prefix }}-{{ redis_instance_name }}" redis_socket_dir: "{{ redis_socket_dir_prefix }}-{{ redis_instance_name }}" @@ -68,7 +69,7 @@ when: redis_instance_name is defined - name: Fail if redis_bind_interface is set - fail: + ansible.builtin.fail: msg: "Please change 'redis_bind_interface' (String) to 'redis_bind_interfaces' (List)" when: - redis_bind_interface is defined @@ -76,15 +77,15 @@ - redis_bind_interface | length > 0 - name: configure Redis for default mode - include: default-server.yml + ansible.builtin.include: default-server.yml when: redis_instance_name is not defined - name: configure Redis for instance mode - include: instance-server.yml + ansible.builtin.include: instance-server.yml when: redis_instance_name is defined - name: Is Munin installed - stat: + ansible.builtin.stat: path: /etc/munin/plugins register: _munin_installed tags: @@ -92,7 +93,7 @@ - munin - name: configure Munin for default mode - include: default-munin.yml + ansible.builtin.include: default-munin.yml when: - _munin_installed.stat.exists - _munin_installed.stat.isdir @@ -102,7 +103,7 @@ - munin - name: configure Munin for instance mode - include: instance-munin.yml + ansible.builtin.include: instance-munin.yml when: - _munin_installed.stat.exists - _munin_installed.stat.isdir @@ -112,7 +113,7 @@ - munin - name: Is log2mail installed - stat: + ansible.builtin.stat: path: /etc/log2mail/config register: _log2mail_installed tags: @@ -120,7 +121,7 @@ - log2mail - name: configure log2mail for default mode - include: default-log2mail.yml + ansible.builtin.include: default-log2mail.yml when: - _log2mail_installed.stat.exists - _log2mail_installed.stat.isdir @@ -130,7 +131,7 @@ - log2mail - name: configure log2mail for instance mode - include: instance-log2mail.yml + ansible.builtin.include: instance-log2mail.yml when: - _log2mail_installed.stat.exists - _log2mail_installed.stat.isdir @@ -140,7 +141,7 @@ - log2mail - name: is NRPE present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg check_mode: no register: nrpe_evolix_config @@ -148,13 +149,14 @@ - redis - nrpe -- include: nrpe.yml +- ansible.builtin.include: nrpe.yml when: nrpe_evolix_config.stat.exists tags: - redis - nrpe - name: Force restart redis - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: restart redis when: redis_restart_force | bool diff --git a/redis/tasks/nrpe.yml b/redis/tasks/nrpe.yml index b42e2da2..61400b99 100644 --- a/redis/tasks/nrpe.yml +++ b/redis/tasks/nrpe.yml @@ -1,7 +1,7 @@ --- - name: Install perl lib-redis (needed by check_redis) - apt: + ansible.builtin.apt: name: libredis-perl state: present tags: @@ -9,7 +9,7 @@ - nrpe - name: install check_redis on Jessie - copy: + ansible.builtin.copy: src: check_redis.pl dest: /usr/local/lib/nagios/plugins/check_redis force: yes @@ -24,7 +24,7 @@ - nrpe - name: set the path of check_redis on Jessie - set_fact: + ansible.builtin.set_fact: redis_check_redis_path: /usr/local/lib/nagios/plugins/check_redis when: - ansible_distribution == "Debian" @@ -34,7 +34,7 @@ - nrpe - name: set the path of check_redis on Stretch and later - set_fact: + ansible.builtin.set_fact: redis_check_redis_path: /usr/lib/nagios/plugins/check_redis when: - ansible_distribution == "Debian" @@ -44,7 +44,7 @@ - nrpe - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_redis$' line: 'nagios ALL = NOPASSWD: {{ redis_check_redis_path }}' @@ -57,7 +57,7 @@ - nrpe - name: Use check_redis for NRPE - replace: + ansible.builtin.replace: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_redis\]=.+' replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}' @@ -68,7 +68,7 @@ - nrpe - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_redis$' line: 'nagios ALL = NOPASSWD: {{ redis_check_redis_path }}' @@ -80,11 +80,11 @@ - nrpe - name: "Remount /usr with RW for 'install check_redis instance'" - include_role: + ansible.builtin.include_role: name: evolix/remount-usr - name: install check_redis_instances - copy: + ansible.builtin.copy: src: check_redis_instances.sh dest: /usr/local/lib/nagios/plugins/check_redis_instances force: yes @@ -96,7 +96,7 @@ - nrpe - name: Use check_redis_instances for NRPE - replace: + ansible.builtin.replace: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_redis\]=.+' replace: 'command[check_redis]=sudo /usr/local/lib/nagios/plugins/check_redis_instances' @@ -107,7 +107,7 @@ - nrpe - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_redis_instances$' line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_redis_instances' diff --git a/redis/tasks/thp.yml b/redis/tasks/thp.yml index 7a0dce27..7a215788 100644 --- a/redis/tasks/thp.yml +++ b/redis/tasks/thp.yml @@ -1,7 +1,7 @@ --- - name: sysfsutils is installed - apt: + ansible.builtin.apt: name: - sysfsutils state: present @@ -11,7 +11,7 @@ - kernel - name: Check possible values for THP - assert: + ansible.builtin.assert: that: redis_sysctl_transparent_hugepage_enabled is in ['always', 'madvise', 'never'] msg: "redis_sysctl_transparent_hugepage_enabled has incorrect value : '{{ redis_sysctl_transparent_hugepage_enabled }}' not in ['always', 'madvise', 'never']" tags: @@ -19,7 +19,7 @@ - kernel - name: "Set THP to {{ redis_sysctl_transparent_hugepage_enabled }} at boot" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sysfs.conf line: kernel/mm/transparent_hugepage/enabled = {{ redis_sysctl_transparent_hugepage_enabled }} regexp: "kernel/mm/transparent_hugepage/enabled" @@ -28,7 +28,8 @@ - kernel - name: "Set THP to {{ redis_sysctl_transparent_hugepage_enabled }} for this boot" - shell: "echo '{{ redis_sysctl_transparent_hugepage_enabled }}' >> /sys/kernel/mm/transparent_hugepage/enabled" + ansible.builtin.shell: + cmd: "echo '{{ redis_sysctl_transparent_hugepage_enabled }}' >> /sys/kernel/mm/transparent_hugepage/enabled" tags: - redis - kernel \ No newline at end of file diff --git a/redmine/handlers/main.yml b/redmine/handlers/main.yml index 3759afc4..595d83f4 100644 --- a/redmine/handlers/main.yml +++ b/redmine/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart rsyslog - service: + ansible.builtin.service: name: rsyslog state: restarted - name: reload nginc - service: + ansible.builtin.service: name: nginx state: reloaded diff --git a/redmine/tasks/config.yml b/redmine/tasks/config.yml index e45bcea5..282f20f6 100644 --- a/redmine/tasks/config.yml +++ b/redmine/tasks/config.yml @@ -1,6 +1,6 @@ --- - name: Create systemd config dir - file: + ansible.builtin.file: state: directory dest: "/home/{{ redmine_user }}/{{ item }}" mode: "0750" @@ -14,7 +14,7 @@ - redmine - name: Deploy systemd unit - copy: + ansible.builtin.copy: src: puma.service dest: "/home/{{ redmine_user }}/.config/systemd/user/puma.service" mode: "0644" @@ -24,7 +24,7 @@ - redmine - name: Set user .profile - copy: + ansible.builtin.copy: src: profile dest: "/home/{{ redmine_user }}/.profile" owner: "{{ redmine_user }}" @@ -34,7 +34,7 @@ - redmine - name: Create config directory - file: + ansible.builtin.file: path: "/home/{{ redmine_user }}/config" state: directory owner: "{{ redmine_user }}" @@ -44,7 +44,7 @@ - redmine - name: Copy configurations file - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "/home/{{ redmine_user }}/config/{{ item }}" owner: "{{ redmine_user }}" diff --git a/redmine/tasks/main.yml b/redmine/tasks/main.yml index eb5c5915..41acd751 100644 --- a/redmine/tasks/main.yml +++ b/redmine/tasks/main.yml @@ -1,8 +1,8 @@ --- -- include: packages.yml -- include: syslog.yml -- include: user.yml -- include_role: +- ansible.builtin.include: packages.yml +- ansible.builtin.include: syslog.yml +- ansible.builtin.include: user.yml +- ansible.builtin.include_role: name: evolix/rbenv vars: - username: "{{ redmine_user }}" diff --git a/redmine/tasks/mysql.yml b/redmine/tasks/mysql.yml index 5f1f6631..6cf3ef36 100644 --- a/redmine/tasks/mysql.yml +++ b/redmine/tasks/mysql.yml @@ -1,6 +1,7 @@ --- - name: Get actual Mysql password - shell: "grep password /home/{{ redmine_user }}/.my.cnf | awk '{ print $3 }'" + ansible.builtin.shell: + cmd: "grep password /home/{{ redmine_user }}/.my.cnf | awk '{ print $3 }'" register: redmine_get_mysql_password check_mode: no changed_when: False @@ -9,7 +10,8 @@ - redmine - name: Generate Mysql password - shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' + ansible.builtin.shell: + cmd: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' register: redmine_generate_mysql_password check_mode: no changed_when: False @@ -18,13 +20,13 @@ - redmine - name: Set Mysql password - set_fact: + ansible.builtin.set_fact: redmine_db_pass: "{{ redmine_generate_mysql_password.stdout | default(redmine_get_mysql_password.stdout) }}" tags: - redmine - name: Create Mysql database - mysql_db: + community.mysql.mysql_db: name: "{{ redmine_db_name }}" config_file: "/root/.my.cnf" state: present @@ -34,7 +36,7 @@ - redmine - name: Store credentials in my.cnf - ini_file: + community.general.ini_file: dest: "/home/{{ redmine_user }}/.my.cnf" owner: "{{ redmine_user }}" group: "{{ redmine_user }}" @@ -51,7 +53,7 @@ - redmine - name: Create Mysql user - mysql_user: + community.mysql.mysql_user: name: "{{ redmine_db_username }}" password: '{{ redmine_db_pass }}' priv: "{{ redmine_user }}.*:ALL" diff --git a/redmine/tasks/nginx.yml b/redmine/tasks/nginx.yml index 1ea1f40a..3ceebb0e 100644 --- a/redmine/tasks/nginx.yml +++ b/redmine/tasks/nginx.yml @@ -1,6 +1,6 @@ --- - name: Add www-data to Redmine group - user: + ansible.builtin.user: name: www-data groups: "{{ redmine_user }}" append: True @@ -9,7 +9,7 @@ - nginx - name: Copy nginx vhost - template: + ansible.builtin.template: src: nginx.conf.j2 dest: "/etc/nginx/sites-available/{{ redmine_user }}.conf" mode: "0644" @@ -19,7 +19,7 @@ - nginx - name: Enable nginx vhost - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/{{ redmine_user }}.conf" dest: "/etc/nginx/sites-enabled/{{ redmine_user }}.conf" state: link diff --git a/redmine/tasks/packages.yml b/redmine/tasks/packages.yml index 294ef693..9d6978a7 100644 --- a/redmine/tasks/packages.yml +++ b/redmine/tasks/packages.yml @@ -1,6 +1,6 @@ --- - name: Install dependency - apt: + ansible.builtin.apt: name: - libpam-systemd - imagemagick @@ -20,7 +20,7 @@ # dependency for mysql_user and mysql_db - name: python modules is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: - python-mysqldb - python-pymysql @@ -31,7 +31,7 @@ # dependency for mysql_user and mysql_db - name: python3 modules is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: - python3-mysqldb - python3-pymysql diff --git a/redmine/tasks/release.yml b/redmine/tasks/release.yml index 548132fc..4f1430a5 100644 --- a/redmine/tasks/release.yml +++ b/redmine/tasks/release.yml @@ -1,6 +1,7 @@ --- - name: Get id of user - command: "id -u {{ redmine_user }}" + ansible.builtin.command: + cmd: "id -u {{ redmine_user }}" register: redmine_command_user_id changed_when: False check_mode: False @@ -8,7 +9,7 @@ - redmine - name: Define user environment - set_fact: + ansible.builtin.set_fact: user_env: XDG_RUNTIME_DIR: "/run/user/{{ redmine_command_user_id.stdout }}" RAILS_ENV: production @@ -16,7 +17,7 @@ - redmine - name: Stop puma service - systemd: + ansible.builtin.systemd: name: puma daemon_reload: yes state: stopped @@ -27,7 +28,7 @@ - redmine - name: Create mysqldump directory - file: + ansible.builtin.file: path: "/home/{{ redmine_user }}/mysqldump" state: directory owner: "{{ redmine_user }}" @@ -37,7 +38,7 @@ - redmine - name: Dump mysql database - mysql_db: + community.mysql.mysql_db: state: dump config_file: "/home/{{ redmine_user }}/.my.cnf" name: "{{ redmine_db_name }}" @@ -46,7 +47,7 @@ - redmine - name: Change www link - file: + ansible.builtin.file: state: link src: "/home/{{ redmine_user }}/releases/{{ redmine_version }}" dest: "/home/{{ redmine_user }}/www" @@ -56,7 +57,8 @@ - redmine - name: Update Gemfile.lock - command: "~/.rbenv/bin/rbenv exec bundle lock" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle lock" args: chdir: "/home/{{ redmine_user }}/www" become_user: "{{ redmine_user }}" @@ -65,7 +67,8 @@ - redmine - name: Update local gems with bundle - command: "~/.rbenv/bin/rbenv exec bundle install --deployment" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle install --deployment" args: chdir: "/home/{{ redmine_user }}/www" become_user: "{{ redmine_user }}" @@ -74,7 +77,8 @@ - redmine - name: Generate secret token - command: "~/.rbenv/bin/rbenv exec bundle exec rake -q generate_secret_token" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle exec rake -q generate_secret_token" args: chdir: "/home/{{ redmine_user }}/www" creates: "/home/{{ redmine_user }}/www/config/initializers/secret_token.rb" @@ -84,7 +88,8 @@ - redmine - name: Migrate database with rake - command: "~/.rbenv/bin/rbenv exec bundle exec rake -q db:migrate" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle exec rake -q db:migrate" args: chdir: "/home/{{ redmine_user }}/www/" become_user: "{{ redmine_user }}" @@ -93,7 +98,8 @@ - redmine - name: Populate Mysql database - command: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:load_default_data REDMINE_LANG=fr" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:load_default_data REDMINE_LANG=fr" args: chdir: "/home/{{ redmine_user }}/www/" become_user: "{{ redmine_user }}" @@ -103,7 +109,8 @@ - redmine - name: Migrate plugins - command: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:plugins:migrate" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:plugins:migrate" args: chdir: "/home/{{ redmine_user }}/www/" become_user: "{{ redmine_user }}" @@ -112,7 +119,7 @@ - redmine - name: Start puma service - systemd: + ansible.builtin.systemd: name: puma daemon_reload: yes state: started diff --git a/redmine/tasks/source.yml b/redmine/tasks/source.yml index 7893a5ad..980d2c13 100644 --- a/redmine/tasks/source.yml +++ b/redmine/tasks/source.yml @@ -1,6 +1,6 @@ --- - name: Create releases directory - file: + ansible.builtin.file: path: "/home/{{ redmine_user }}/{{ item }}" state: directory owner: "{{ redmine_user }}" @@ -13,7 +13,7 @@ - redmine - name: Download Redmine archive - unarchive: + ansible.builtin.unarchive: src: "https://redmine.org/releases/redmine-{{ redmine_version }}.tar.gz" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}" remote_src: True @@ -24,7 +24,7 @@ - redmine - name: Link config files - file: + ansible.builtin.file: state: link src: "/home/{{ redmine_user }}/config/{{ item }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/config/{{ item }}" @@ -38,7 +38,7 @@ - redmine - name: Copy/Update plugin from archive - unarchive: + ansible.builtin.unarchive: src: "{{ item.zip }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/plugins/" remote_src: yes @@ -51,7 +51,7 @@ - redmine - name: Copy/Update plugin from git repository - git: + ansible.builtin.git: repo: "{{ item.git }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/plugins/{{ item.git | basename | splitext | first }}" version: "{{ item.tree | default('master') }}" @@ -63,7 +63,7 @@ - redmine - name: Copy/Update theme from archive - unarchive: + ansible.builtin.unarchive: src: "{{ item.zip }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/public/themes" remote_src: yes @@ -76,7 +76,7 @@ - redmine - name: Copy/Update theme from git repository - git: + ansible.builtin.git: repo: "{{ item.git }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/public/themes/{{ item.git | basename | splitext | first }}" version: "{{ item.tree | default('master') }}" @@ -88,7 +88,7 @@ - redmine - name: Deploy custom Gemfile - template: + ansible.builtin.template: src: Gemfile.local.j2 dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/Gemfile.local" owner: "{{ redmine_user }}" diff --git a/redmine/tasks/syslog.yml b/redmine/tasks/syslog.yml index b53e2660..14be7827 100644 --- a/redmine/tasks/syslog.yml +++ b/redmine/tasks/syslog.yml @@ -1,6 +1,6 @@ --- - name: Create log directory - file: + ansible.builtin.file: state: directory dest: /var/log/redmine owner: root @@ -10,7 +10,7 @@ - redmine - name: Copy syslog configuration - copy: + ansible.builtin.copy: src: syslog.conf dest: /etc/rsyslog.d/redmine.conf mode: "0644" @@ -19,7 +19,7 @@ - redmine - name: Copy logrotate configuration - copy: + ansible.builtin.copy: src: logrotate dest: /etc/logrotate.d/redmine mode: "0644" diff --git a/redmine/tasks/user.yml b/redmine/tasks/user.yml index dc959db1..db9cbd1a 100644 --- a/redmine/tasks/user.yml +++ b/redmine/tasks/user.yml @@ -1,13 +1,14 @@ --- - name: Create redmine group - group: + + ansible.builtin.group: name: "{{ redmine_user }}" state: present tags: - redmine - name: Create redmine user - user: + ansible.builtin.user: name: "{{ redmine_user }}" state: present group: "{{ redmine_user }}" @@ -18,7 +19,7 @@ - redmine - name: Add redmine user to Redis group - user: + ansible.builtin.user: name: "{{ redmine_user }}" groups: "redis-{{ redmine_user }}" append: True @@ -27,7 +28,7 @@ - redmine - name: Create required directory - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: "{{ redmine_user }}" @@ -40,5 +41,6 @@ - redmine - name: Enable systemd user mode - command: "loginctl enable-linger {{ redmine_user }}" + ansible.builtin.command: + cmd: "loginctl enable-linger {{ redmine_user }}" changed_when: False diff --git a/remount-usr/handlers/main.yml b/remount-usr/handlers/main.yml index 854a8883..ea22acee 100644 --- a/remount-usr/handlers/main.yml +++ b/remount-usr/handlers/main.yml @@ -1,4 +1,5 @@ --- - name: remount usr - command: "mount -o remount /usr" + ansible.builtin.command: + cmd: "mount -o remount /usr" failed_when: False \ No newline at end of file diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml index e4cf9d36..eb5c0109 100644 --- a/remount-usr/tasks/main.yml +++ b/remount-usr/tasks/main.yml @@ -2,14 +2,16 @@ # findmnt returns 0 on hit, 1 on miss # If the return code is higher than 1, it's a blocking failure - name: "check if /usr is a read-only partition" - command: 'findmnt /usr --noheadings --options ro' + ansible.builtin.command: + cmd: 'findmnt /usr --noheadings --options ro' changed_when: False failed_when: usr_partition.rc > 1 check_mode: no register: usr_partition - name: "mount /usr in rw" - command: 'mount -o remount,rw /usr' + ansible.builtin.command: + cmd: 'mount -o remount,rw /usr' changed_when: False when: usr_partition.rc == 0 notify: remount usr diff --git a/spamassasin/handlers/main.yml b/spamassasin/handlers/main.yml index 7479d736..78597a37 100644 --- a/spamassasin/handlers/main.yml +++ b/spamassasin/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart spamassassin - service: + ansible.builtin.service: name: spamassassin state: restarted diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index a2cbaf9a..9f2889ca 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install SpamAssasin - apt: + ansible.builtin.apt: name: - spamassassin state: present @@ -8,7 +8,7 @@ - spamassassin - name: configure SpamAssasin - copy: + ansible.builtin.copy: src: spamassassin.cf dest: /etc/spamassassin/local_evolix.cf mode: "0644" @@ -17,7 +17,7 @@ - spamassassin - name: enable SpamAssasin - replace: + ansible.builtin.replace: dest: /etc/default/spamassassin regexp: 'ENABLED=0' replace: 'ENABLED=1' @@ -26,7 +26,7 @@ - spamassassin - name: add amavis user to debian-spamd group - user: + ansible.builtin.user: name: amavis groups: debian-spamd append: yes @@ -34,31 +34,31 @@ - spamassassin - name: fix right on /var/lib/spamassassin - file: + ansible.builtin.file: dest: /var/lib/spamassassin state: directory mode: "0750" tags: - spamassassin -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - spamassassin - name: Check evomaintenance config - stat: + ansible.builtin.stat: path: /etc/evomaintenance.cf register: _evomaintenance_config - name: Verify sa-update dependency - assert: + ansible.builtin.assert: that: - _evomaintenance_config.stat.exists msg: sa-update.sh needs /etc/evomaintenance.cf - name: copy sa-update.sh script - copy: + ansible.builtin.copy: src: sa-update.sh dest: /usr/share/scripts/sa-update.sh mode: "0750" @@ -66,8 +66,8 @@ - spamassassin - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -75,7 +75,7 @@ register: is_cron_installed - name: enable sa-update.sh cron - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cron.d/sa-update line: "42 6 5 1,4,7,10 * root /usr/share/scripts/sa-update.sh" create: yes @@ -86,13 +86,14 @@ - spamassassin - name: update SpamAssasin's rules - command: "/usr/share/scripts/sa-update.sh" + ansible.builtin.command: + cmd: "/usr/share/scripts/sa-update.sh" changed_when: False tags: - spamassassin - name: ensure SpamAssasin is started and enabled - systemd: + ansible.builtin.systemd: name: spamassassin state: started enabled: True diff --git a/squid/handlers/main.yml b/squid/handlers/main.yml index 4f5329b9..149d4827 100644 --- a/squid/handlers/main.yml +++ b/squid/handlers/main.yml @@ -1,33 +1,34 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart squid - service: + ansible.builtin.service: name: squid state: restarted - name: reload squid - service: + ansible.builtin.service: name: squid state: reloaded - name: restart squid3 - service: + ansible.builtin.service: name: squid3 state: restarted - name: reload squid3 - service: + ansible.builtin.service: name: squid3 state: reloaded - name: restart log2mail - service: + ansible.builtin.service: name: log2mail state: restarted - name: restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart diff --git a/squid/tasks/log2mail.yml b/squid/tasks/log2mail.yml index 5454dc10..1d36eb09 100644 --- a/squid/tasks/log2mail.yml +++ b/squid/tasks/log2mail.yml @@ -1,14 +1,14 @@ --- - name: is log2mail installed? - stat: + ansible.builtin.stat: path: /etc/log2mail/config/ check_mode: no register: log2mail_config - block: - name: log2mail proxy config is present - template: + ansible.builtin.template: src: log2mail.j2 dest: /etc/log2mail/config/squid.conf mode: "0640" @@ -17,7 +17,7 @@ notify: restart log2mail - name: log2mail user is in proxy group - user: + ansible.builtin.user: name: log2mail groups: proxy append: yes diff --git a/squid/tasks/logrotate_jessie.yml b/squid/tasks/logrotate_jessie.yml index 010d13cc..345cd053 100644 --- a/squid/tasks/logrotate_jessie.yml +++ b/squid/tasks/logrotate_jessie.yml @@ -11,7 +11,8 @@ # is the one provided by the package. - name: check if logrotate file is default - shell: 'printf "43994674706b672ae5018f592beccf2e /etc/logrotate.d/{{ squid_daemon_name }}" | md5sum --check' + ansible.builtin.shell: + cmd: 'printf "43994674706b672ae5018f592beccf2e /etc/logrotate.d/{{ squid_daemon_name }}" | md5sum --check' changed_when: False failed_when: False check_mode: no @@ -20,7 +21,7 @@ - squid - name: logrotate configuration - template: + ansible.builtin.template: src: logrotate_jessie.j2 dest: /etc/logrotate.d/{{ squid_daemon_name }} force: yes diff --git a/squid/tasks/logrotate_stretch.yml b/squid/tasks/logrotate_stretch.yml index 579c228c..df264068 100644 --- a/squid/tasks/logrotate_stretch.yml +++ b/squid/tasks/logrotate_stretch.yml @@ -11,7 +11,8 @@ # is the one provided by the package. - name: check if logrotate file is default - shell: 'printf "c210feea019412adac8a5d5dcba427af /etc/logrotate.d/{{ squid_daemon_name }}" | md5sum --check' + ansible.builtin.shell: + cmd: 'printf "c210feea019412adac8a5d5dcba427af /etc/logrotate.d/{{ squid_daemon_name }}" | md5sum --check' changed_when: False failed_when: False check_mode: no @@ -20,7 +21,7 @@ - squid - name: logrotate configuration - template: + ansible.builtin.template: src: logrotate_stretch.j2 dest: /etc/logrotate.d/{{ squid_daemon_name }} force: yes diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 5cb60ea9..0a200188 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -1,49 +1,49 @@ --- -- fail: +- ansible.builtin.fail: msg: only compatible with Debian >= 8 when: - ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<') - name: "Set squid name (jessie)" - set_fact: + ansible.builtin.set_fact: squid_daemon_name: squid3 when: ansible_distribution_release == "jessie" - name: "Set squid name (Debian 9 or later)" - set_fact: + ansible.builtin.set_fact: squid_daemon_name: squid when: ansible_distribution_major_version is version('9', '>=') - name: "Install Squid packages" - apt: + ansible.builtin.apt: name: - "{{ squid_daemon_name }}" - squidclient state: present - name: Fetch packages - package_facts: + ansible.builtin.package_facts: manager: auto -- debug: +- ansible.builtin.debug: var: ansible_facts.packages[squid_daemon_name] - name: "Set alternative config file (Debian 9 or later)" - copy: + ansible.builtin.copy: src: default_squid dest: /etc/default/squid when: ansible_distribution_major_version is version('9', '>=') - name: "squid.conf is present (jessie)" - template: + ansible.builtin.template: src: squid.conf.j2 dest: /etc/squid3/squid.conf notify: "restart squid3" when: ansible_distribution_release == "jessie" - name: "evolix whitelist is present (jessie)" - copy: + ansible.builtin.copy: src: whitelist-evolinux.conf dest: /etc/squid3/whitelist.conf force: no @@ -51,21 +51,21 @@ when: ansible_distribution_release == "jessie" - name: "evolinux defaults squid file (Debian 9 or later)" - copy: + ansible.builtin.copy: src: evolinux-defaults.conf dest: /etc/squid/evolinux-defaults.conf notify: "restart squid" when: ansible_distribution_major_version is version('9', '>=') - name: "evolinux defaults whitelist (Debian 9 or later)" - copy: + ansible.builtin.copy: src: evolinux-whitelist-defaults.conf dest: /etc/squid/evolinux-whitelist-defaults.conf notify: "reload squid" when: ansible_distribution_major_version is version('9', '>=') - name: "evolinux custom whitelist (Debian 9 or later)" - copy: + ansible.builtin.copy: dest: /etc/squid/evolinux-whitelist-custom.conf content: | # Put customized values here. @@ -73,7 +73,7 @@ when: ansible_distribution_major_version is version('9', '>=') - name: "evolinux acl for local proxy (Debian 9 or later)" - template: + ansible.builtin.template: src: evolinux-acl.conf.j2 dest: /etc/squid/evolinux-acl.conf force: no @@ -83,7 +83,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux custom acl (Debian 9 or later)" - copy: + ansible.builtin.copy: dest: /etc/squid/evolinux-acl.conf content: | # Put customized values here. @@ -93,7 +93,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux http_access for local proxy (Debian 9 or later)" - copy: + ansible.builtin.copy: src: evolinux-httpaccess.conf dest: /etc/squid/evolinux-httpaccess.conf force: no @@ -103,7 +103,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux custom http_access (Debian 9 or later)" - copy: + ansible.builtin.copy: dest: /etc/squid/evolinux-httpaccess.conf content: | # Put customized values here. @@ -113,7 +113,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux overrides for local proxy (Debian 9 or later)" - template: + ansible.builtin.template: src: evolinux-custom.conf.j2 dest: /etc/squid/evolinux-custom.conf force: no @@ -123,7 +123,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux custom overrides (Debian 9 or later)" - copy: + ansible.builtin.copy: dest: /etc/squid/evolinux-custom.conf content: | # Put customized values here. @@ -133,7 +133,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: add some URL in whitelist (Debian 8) - lineinfile: + ansible.builtin.lineinfile: insertafter: EOF dest: /etc/squid3/whitelist.conf line: "{{ item }}" @@ -143,7 +143,7 @@ when: ansible_distribution_major_version == '8' - name: add some URL in whitelist (Debian 9 or later) - lineinfile: + ansible.builtin.lineinfile: insertafter: EOF dest: /etc/squid/evolinux-whitelist-custom.conf line: "{{ item }}" @@ -152,15 +152,15 @@ notify: "reload squid" when: ansible_distribution_major_version is version('9', '>=') -- include: systemd.yml +- ansible.builtin.include: systemd.yml when: ansible_distribution_major_version is version('10', '>=') -- include: logrotate_jessie.yml +- ansible.builtin.include: logrotate_jessie.yml when: ansible_distribution_release == "jessie" -- include: logrotate_stretch.yml +- ansible.builtin.include: logrotate_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include: minifirewall.yml +- ansible.builtin.include: minifirewall.yml -- include: log2mail.yml +- ansible.builtin.include: log2mail.yml diff --git a/squid/tasks/minifirewall.legacy.yml b/squid/tasks/minifirewall.legacy.yml index f7e78ee5..18ee45aa 100644 --- a/squid/tasks/minifirewall.legacy.yml +++ b/squid/tasks/minifirewall.legacy.yml @@ -1,20 +1,20 @@ --- - name: Check if Minifirewall is present - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" check_mode: no register: minifirewall_test - block: - name: HTTPSITES list is commented in minifirewall - replace: + ansible.builtin.replace: dest: "/etc/default/minifirewall" regexp: "^(HTTPSITES='[^0-9])" replace: '#\1' notify: restart minifirewall - name: all HTTPSITES are authorized in minifirewall - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSITES='0.0.0.0/0'" regexp: "HTTPSITES='.*'" @@ -22,7 +22,7 @@ notify: restart minifirewall - name: add iptables rules for the proxy - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" regexp: "^#? *{{ item }}" line: "{{ item }}" @@ -35,7 +35,7 @@ notify: restart minifirewall - name: remove minifirewall example rule for the proxy - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)' state: absent diff --git a/squid/tasks/minifirewall.yml b/squid/tasks/minifirewall.yml index 5abdf9df..7cece087 100644 --- a/squid/tasks/minifirewall.yml +++ b/squid/tasks/minifirewall.yml @@ -1,20 +1,20 @@ --- - name: Check if Minifirewall is present - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" check_mode: no register: minifirewall_test - block: - name: HTTPSITES list is commented in minifirewall - replace: + ansible.builtin.replace: dest: "/etc/default/minifirewall" regexp: "^(HTTPSITES='[^0-9])" replace: '#\1' notify: restart minifirewall - name: all HTTPSITES are authorized in minifirewall - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSITES='0.0.0.0/0'" regexp: "HTTPSITES='.*'" @@ -23,14 +23,15 @@ # The PROXY variable means that minifirewall is "modern" - name: Look for PROXY variable - shell: "grep -E '^\\s*PROXY=' /etc/default/minifirewall" + ansible.builtin.shell: + cmd: "grep -E '^\\s*PROXY=' /etc/default/minifirewall" failed_when: False changed_when: False check_mode: False register: _minifirewall_proxy_var_check - name: Set proxy configuration for minifirewall (legacy mode) - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" regexp: "^#? *{{ item }}" line: "{{ item }}" @@ -44,7 +45,7 @@ when: _minifirewall_proxy_var_check.rc == 1 - name: remove minifirewall example rule for the proxy (legacy mode) - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)' state: absent @@ -52,7 +53,7 @@ when: _minifirewall_proxy_var_check.rc == 1 - name: Set proxy configuration for minifirewall (modern mode) - replace: + ansible.builtin.replace: dest: "/etc/default/minifirewall" replace: "PROXY='on'" regexp: "PROXY='.*'" diff --git a/squid/tasks/systemd.yml b/squid/tasks/systemd.yml index c84e52d6..7e262f23 100644 --- a/squid/tasks/systemd.yml +++ b/squid/tasks/systemd.yml @@ -1,14 +1,15 @@ --- - name: Look for existing systemd unit - command: systemctl -q is-active squid.service + ansible.builtin.command: + cmd: systemctl -q is-active squid.service changed_when: False failed_when: False check_mode: no register: _squid_systemd_active - name: Squid systemd overrides directory exists - file: + ansible.builtin.file: dest: /etc/systemd/system/squid.service.d/ state: directory owner: root @@ -16,7 +17,7 @@ mode: "0755" - name: "Squid systemd unit service is present" - template: + ansible.builtin.template: src: systemd-override.conf.j2 dest: /etc/systemd/system/squid.service.d/override.conf mode: "0644" @@ -24,7 +25,7 @@ register: _squid_systemd_override - name: "Systemd daemon is reloaded and Squid restarted" - systemd: + ansible.builtin.systemd: name: squid state: restarted daemon_reload: yes diff --git a/ssl/handlers/main.yml b/ssl/handlers/main.yml index 3393e45a..d4dcb52a 100644 --- a/ssl/handlers/main.yml +++ b/ssl/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: reload haproxy - service: + ansible.builtin.service: name: haproxy state: reloaded diff --git a/ssl/tasks/haproxy.yml b/ssl/tasks/haproxy.yml index 2ba30ac9..878524f3 100644 --- a/ssl/tasks/haproxy.yml +++ b/ssl/tasks/haproxy.yml @@ -1,6 +1,6 @@ --- - name: Concatenate SSL certificate, key and dhparam - set_fact: + ansible.builtin.set_fact: ssl_cat: "{{ ssl_cat | default() }}{{ lookup('file', item) }}\n" with_fileglob: - "ssl/{{ ssl_cert }}.pem" @@ -10,7 +10,7 @@ - ssl - name: Create haproxy ssl directory - file: + ansible.builtin.file: dest: /etc/haproxy/ssl state: directory mode: "0700" @@ -18,7 +18,7 @@ - ssl - name: Copy concatenated certificate and key - copy: + ansible.builtin.copy: content: "{{ ssl_cat }}" dest: "/etc/haproxy/ssl/{{ ssl_cert }}.pem" mode: "0600" @@ -27,7 +27,7 @@ - ssl - name: Reset ssl_cat variable - set_fact: + ansible.builtin.set_fact: ssl_cat: "" tags: - ssl diff --git a/ssl/tasks/main.yml b/ssl/tasks/main.yml index 3ec71115..01398dec 100644 --- a/ssl/tasks/main.yml +++ b/ssl/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Copy SSL certificate - copy: + ansible.builtin.copy: src: "ssl/{{ ssl_cert }}.pem" dest: "/etc/ssl/certs/{{ ssl_cert }}.pem" mode: "0644" @@ -9,7 +9,7 @@ - ssl - name: Copy SSL key - copy: + ansible.builtin.copy: src: "ssl/{{ ssl_cert }}.key" dest: "/etc/ssl/private/{{ ssl_cert }}.key" mode: "0640" @@ -20,7 +20,7 @@ - ssl - name: Copy SSL dhparam - copy: + ansible.builtin.copy: src: "ssl/{{ ssl_cert }}.dhp" dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp" mode: "0644" @@ -29,8 +29,8 @@ - ssl - name: Check if Haproxy is installed - shell: "set -o pipefail && dpkg -l haproxy 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l haproxy 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash register: haproxy_check check_mode: no @@ -39,5 +39,5 @@ tags: - ssl -- include: haproxy.yml +- ansible.builtin.include: haproxy.yml when: haproxy_check.rc == 0 diff --git a/supervisord/handlers/main.yml b/supervisord/handlers/main.yml index be10ba0a..dde2339d 100644 --- a/supervisord/handlers/main.yml +++ b/supervisord/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart supervisor - service: + ansible.builtin.service: name: supervisor state: restarted diff --git a/supervisord/tasks/main.yml b/supervisord/tasks/main.yml index b35bd03f..7b61ccbb 100644 --- a/supervisord/tasks/main.yml +++ b/supervisord/tasks/main.yml @@ -1,12 +1,12 @@ --- - name: Install Supervisor - apt: + ansible.builtin.apt: name: supervisor tags: - supervisord - name: Add http configuration for Supervisor - copy: + ansible.builtin.copy: src: http.conf dest: /etc/supervisor/conf.d/ mode: "0644" diff --git a/tomcat-instance/tasks/alias.yml b/tomcat-instance/tasks/alias.yml index 99ae1910..b61b27e5 100644 --- a/tomcat-instance/tasks/alias.yml +++ b/tomcat-instance/tasks/alias.yml @@ -1,6 +1,6 @@ --- - name: Create bin dir for alias - file: + ansible.builtin.file: path: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/bin" state: directory mode: "0770" @@ -8,7 +8,7 @@ group: "{{ tomcat_instance_name }}" - name: Copy alias script for systemctl --user - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/bin/" mode: "0770" diff --git a/tomcat-instance/tasks/bootstrap.yml b/tomcat-instance/tasks/bootstrap.yml index 001088b1..818ddceb 100644 --- a/tomcat-instance/tasks/bootstrap.yml +++ b/tomcat-instance/tasks/bootstrap.yml @@ -1,6 +1,6 @@ --- - name: Create tomcat dirs - file: + ansible.builtin.file: path: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/{{ item }}" state: directory mode: "u=rwx,g=rwxs,o=" @@ -15,7 +15,7 @@ - 'lib' - name: Templating of env file - template: + ansible.builtin.template: src: 'templates/env.j2' dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/env" mode: "0660" @@ -24,7 +24,7 @@ force: no - name: Templating of server.xml file - template: + ansible.builtin.template: src: 'templates/server.xml-tomcat{{ tomcat_version }}.j2' dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/server.xml" mode: "0660" @@ -33,7 +33,7 @@ force: no - name: Copy config file - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/{{ item | basename }}" mode: "0660" diff --git a/tomcat-instance/tasks/check.yml b/tomcat-instance/tasks/check.yml index b9426a33..3273b802 100644 --- a/tomcat-instance/tasks/check.yml +++ b/tomcat-instance/tasks/check.yml @@ -1,10 +1,11 @@ --- - name: Check tomcat_instance_name - debug: + ansible.builtin.debug: msg: "{{ tomcat_instance_name }}" - name: Check use of gid - command: id -ng "{{ tomcat_instance_port }}" + ansible.builtin.command: + cmd: id -ng "{{ tomcat_instance_port }}" register: check_port_gid changed_when: False failed_when: @@ -12,7 +13,8 @@ - check_port_gid.stdout != "{{ tomcat_instance_name }}" - name: Check use of uid - command: id -nu "{{ tomcat_instance_port }}" + ansible.builtin.command: + cmd: id -nu "{{ tomcat_instance_port }}" register: check_port_uid changed_when: False failed_when: diff --git a/tomcat-instance/tasks/main.yml b/tomcat-instance/tasks/main.yml index 1da21794..70baa536 100644 --- a/tomcat-instance/tasks/main.yml +++ b/tomcat-instance/tasks/main.yml @@ -1,6 +1,6 @@ --- -- include: check.yml -- include: user.yml -- include: systemd.yml -- include: alias.yml -- include: bootstrap.yml +- ansible.builtin.include: check.yml +- ansible.builtin.include: user.yml +- ansible.builtin.include: systemd.yml +- ansible.builtin.include: alias.yml +- ansible.builtin.include: bootstrap.yml diff --git a/tomcat-instance/tasks/systemd.yml b/tomcat-instance/tasks/systemd.yml index c3a6a877..87c64ae6 100644 --- a/tomcat-instance/tasks/systemd.yml +++ b/tomcat-instance/tasks/systemd.yml @@ -1,10 +1,11 @@ --- - name: Enable systemd user mode - command: "loginctl enable-linger {{ tomcat_instance_name }}" + ansible.builtin.command: + cmd: "loginctl enable-linger {{ tomcat_instance_name }}" changed_when: False - name: Set systemd conf var - lineinfile: + ansible.builtin.lineinfile: dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/.profile" state: present owner: "{{ tomcat_instance_name }}" diff --git a/tomcat-instance/tasks/user.yml b/tomcat-instance/tasks/user.yml index d4fc8521..e24870e6 100644 --- a/tomcat-instance/tasks/user.yml +++ b/tomcat-instance/tasks/user.yml @@ -1,31 +1,33 @@ --- -- fail: +- ansible.builtin.fail: msg: "You must provide a value for the 'tomcat_instance_port' variable." when: tomcat_instance_port is not defined or tomcat_instance_port | length == 0 - name: "Test if uid '{{ tomcat_instance_port }}' exists" - command: 'id -un -- "{{ tomcat_instance_port }}"' + ansible.builtin.command: + cmd: 'id -un -- "{{ tomcat_instance_port }}"' register: get_login_from_id failed_when: False changed_when: False check_mode: no - name: "Fail if uid already exists for another user" - fail: + ansible.builtin.fail: msg: "Uid '{{ tomcat_instance_port }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ tomcat_instance_name }}'" when: - get_login_from_id.rc == 0 - get_login_from_id.stdout != tomcat_instance_name - name: Create group instance - group: + + ansible.builtin.group: name: "{{ tomcat_instance_name }}" gid: "{{ tomcat_instance_port }}" - name: Create user instance - user: + ansible.builtin.user: name: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" uid: "{{ tomcat_instance_port }}" @@ -34,7 +36,7 @@ createhome: no - name: Create home dir - file: + ansible.builtin.file: path: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}" state: directory owner: "{{ tomcat_instance_name }}" @@ -42,12 +44,12 @@ mode: "u=rwx,g=rwxs,o=" - name: Is /etc/aliases present? - stat: + ansible.builtin.stat: path: /etc/aliases register: etc_aliases - name: Set mail alias for user - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/aliases' state: present line: "{{ tomcat_instance_name }}: {{ tomcat_instance_mail }}" @@ -56,11 +58,12 @@ register: tomcat_instance_mail_alias - name: Run newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases when: tomcat_instance_mail_alias is changed - name: Enable sudo right - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/sudoers.d/tomcat' state: present mode: "0440" @@ -69,7 +72,7 @@ validate: 'visudo -cf %s' - name: Enable sudo right for deploy user - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/sudoers.d/tomcat' state: present mode: "0440" diff --git a/tomcat/tasks/main.yml b/tomcat/tasks/main.yml index 545c0813..2cc62d0a 100644 --- a/tomcat/tasks/main.yml +++ b/tomcat/tasks/main.yml @@ -1,4 +1,4 @@ --- -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: nagios.yml +- ansible.builtin.include: nagios.yml diff --git a/tomcat/tasks/nagios.yml b/tomcat/tasks/nagios.yml index 1eb297cf..d51b4375 100644 --- a/tomcat/tasks/nagios.yml +++ b/tomcat/tasks/nagios.yml @@ -1,19 +1,19 @@ --- - name: Intall monitorings plugins - apt: + ansible.builtin.apt: name: monitoring-plugins state: present -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create Nagios plugins dir - file: + ansible.builtin.file: path: /usr/local/lib/nagios/plugins state: directory - name: Copy Tomcat instance check - template: + ansible.builtin.template: src: check_tomcat_instance.sh.j2 dest: /usr/local/lib/nagios/plugins/check_tomcat_instance.sh mode: "0755" diff --git a/tomcat/tasks/packages.yml b/tomcat/tasks/packages.yml index f1b968cc..a4b25661 100644 --- a/tomcat/tasks/packages.yml +++ b/tomcat/tasks/packages.yml @@ -1,35 +1,35 @@ --- - name: Set Tomcat version to 7 on Debian 8 if missing - set_fact: + ansible.builtin.set_fact: tomcat_version: 7 when: - ansible_distribution_release == "jessie" - tomcat_version is not defined - name: Set Tomcat version to 8 on Debian 9 if missing - set_fact: + ansible.builtin.set_fact: tomcat_version: 8 when: - ansible_distribution_release == "stretch" - tomcat_version is not defined - name: Set Tomcat version to 9 on Debian 10 if missing - set_fact: + ansible.builtin.set_fact: tomcat_version: 9 when: - ansible_distribution_release == "buster" - tomcat_version is not defined - name: Set Tomcat version to 9 on Debian 11 if missing - set_fact: + ansible.builtin.set_fact: tomcat_version: 9 when: - ansible_distribution_release == "bullseye" - tomcat_version is not defined - name: Install packages - apt: + ansible.builtin.apt: name: - "tomcat{{ tomcat_version }}" - "tomcat{{ tomcat_version }}-user" @@ -37,7 +37,7 @@ state: present - name: Create tomcat root dir - file: + ansible.builtin.file: path: "{{ tomcat_instance_root }}" state: directory owner: "{{ tomcat_root_dir_owner | default('root') }}" @@ -45,13 +45,13 @@ mode: "0755" - name: Copy systemd unit - template: + ansible.builtin.template: src: 'tomcat.service.j2' dest: "/etc/systemd/user/tomcat.service" mode: "0755" - name: Disable default tomcat service - service: + ansible.builtin.service: name: "tomcat{{ tomcat_version }}" state: stopped enabled: false diff --git a/unbound/handlers/main.yml b/unbound/handlers/main.yml index 05a3ff40..7c801751 100644 --- a/unbound/handlers/main.yml +++ b/unbound/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: reload unbound - service: + ansible.builtin.service: name: unbound state: reloaded diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml index ea7e9060..6e76eb3b 100644 --- a/unbound/tasks/main.yml +++ b/unbound/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install Unbound package - apt: + ansible.builtin.apt: name: unbound state: present when: ansible_distribution == "Debian" @@ -8,7 +8,7 @@ - unbound - name: Retrieve list of root DNS servers - get_url: + ansible.builtin.get_url: url: https://www.internic.net/domain/named.cache dest: /etc/unbound/root.hints force: yes @@ -18,7 +18,7 @@ - unbound - name: Copy Unbound config - template: + ansible.builtin.template: src: unbound.conf.j2 dest: /etc/unbound/unbound.conf owner: root @@ -30,7 +30,7 @@ - unbound - name: Starting and enabling Unbound - service: + ansible.builtin.service: name: unbound enabled: yes state: started diff --git a/userlogrotate/tasks/main.yml b/userlogrotate/tasks/main.yml index 2642186c..4f9c5fc7 100644 --- a/userlogrotate/tasks/main.yml +++ b/userlogrotate/tasks/main.yml @@ -15,7 +15,7 @@ when: find_logrotate.files | length>0 - name: "Install userlogrotate (jessie)" - copy: + ansible.builtin.copy: src: userlogrotate_jessie dest: /etc/cron.weekly/userlogrotate mode: "0755" @@ -24,7 +24,7 @@ - find_logrotate.files | length==0 - name: "Install userlogrotate (Debian 9 or later)" - copy: + ansible.builtin.copy: src: userlogrotate dest: /etc/cron.weekly/userlogrotate mode: "0755" diff --git a/varnish/handlers/main.yml b/varnish/handlers/main.yml index 6e47bc10..96b9fb5a 100644 --- a/varnish/handlers/main.yml +++ b/varnish/handlers/main.yml @@ -1,21 +1,21 @@ --- - name: reload varnish - systemd: + ansible.builtin.systemd: name: varnish state: reloaded daemon_reload: yes - name: restart varnish - systemd: + ansible.builtin.systemd: name: varnish state: restarted daemon_reload: yes - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index cca302bb..b06ab5a2 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: Install Varnish - apt: + ansible.builtin.apt: name: varnish state: present tags: - varnish - name: Fetch packages - package_facts: + ansible.builtin.package_facts: manager: auto check_mode: no tags: @@ -15,7 +15,7 @@ - config - update-config -- set_fact: +- ansible.builtin.set_fact: varnish_package_facts: "{{ ansible_facts.packages['varnish'] | first }}" check_mode: no tags: @@ -32,7 +32,7 @@ # - update-config - name: Remove default varnish configuration files - file: + ansible.builtin.file: path: "{{ item }}" state: absent loop: @@ -45,7 +45,7 @@ - config - name: Copy Custom Varnish ExecReload script (Debian < 10) - template: + ansible.builtin.template: src: "reload-vcl.sh.j2" dest: "/etc/varnish/reload-vcl.sh" mode: "0700" @@ -57,7 +57,7 @@ - varnish - name: Create a system config directory for systemd overrides - file: + ansible.builtin.file: path: /etc/systemd/system/varnish.service.d state: directory tags: @@ -65,7 +65,7 @@ - config - name: Remove legacy systemd override - file: + ansible.builtin.file: path: /etc/systemd/system/varnish.service.d/evolinux.conf state: absent notify: @@ -75,7 +75,7 @@ - config - name: Varnish systemd override template (Varnish 4 and 5) - set_fact: + ansible.builtin.set_fact: varnish_systemd_override_template: override.conf.varnish4.j2 when: - varnish_package_facts['version'] is version('4', '>=') @@ -86,7 +86,7 @@ - update-config - name: Varnish systemd override template (Varnish 6) - set_fact: + ansible.builtin.set_fact: varnish_systemd_override_template: override.conf.varnish6.j2 when: - varnish_package_facts['version'] is version('6', '>=') @@ -97,7 +97,7 @@ - update-config - name: Varnish systemd override template (Varnish 7 and later) - set_fact: + ansible.builtin.set_fact: varnish_systemd_override_template: override.conf.varnish7.j2 when: - varnish_package_facts['version'] is version('7', '>=') @@ -107,7 +107,7 @@ - update-config - name: Override Varnish systemd unit - template: + ansible.builtin.template: src: "{{ varnish_systemd_override_template }}" dest: /etc/systemd/system/varnish.service.d/override.conf force: yes @@ -120,7 +120,7 @@ - update-config - name: Patch logrotate conf - replace: + ansible.builtin.replace: name: /etc/logrotate.d/varnish regexp: '^(\s+)(/usr/sbin/invoke-rc.d {{ item }}.*)' replace: '\1systemctl -q is-active {{ item }} && \2' @@ -132,7 +132,7 @@ - logrotate - name: Copy Varnish configuration - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ varnish_config_file }}" mode: "0644" @@ -156,7 +156,7 @@ - update-config - name: Create Varnish config dir - file: + ansible.builtin.file: path: /etc/varnish/conf.d state: directory mode: "0755" @@ -166,7 +166,7 @@ - update-config - name: Copy included Varnish config - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/varnish/conf.d/ force: yes @@ -183,11 +183,11 @@ # We usually use /vat/tmp-cache then validate the syntax with this command: # sudo -u vcache TMPDIR=/var/tmp-vcache varnishd -Cf /etc/varnish/default.vcl > /dev/null - name: Special tmp directory - file: + ansible.builtin.file: path: "{{ varnish_tmp_dir }}" state: directory owner: vcache group: varnish mode: "0750" -- include: munin.yml +- ansible.builtin.include: munin.yml diff --git a/varnish/tasks/munin.yml b/varnish/tasks/munin.yml index 77637a98..3b329d46 100644 --- a/varnish/tasks/munin.yml +++ b/varnish/tasks/munin.yml @@ -1,29 +1,29 @@ --- - name: Install dependencies - apt: + ansible.builtin.apt: name: libxml-parser-perl tags: varnish -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: varnish - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" tags: varnish - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" tags: varnish - name: Copy varnish5 munin plugin - copy: + ansible.builtin.copy: src: munin/varnish5_ dest: /usr/local/share/munin/plugins/ mode: "0755" @@ -31,7 +31,7 @@ tags: varnish - name: Enable varnish5 munin plugin - file: + ansible.builtin.file: src: /usr/local/share/munin/plugins/varnish5_ dest: "/etc/munin/plugins/varnish5_{{ item }}" state: link @@ -51,7 +51,7 @@ tags: varnish - name: Copy varnish5 munin plugin config - copy: + ansible.builtin.copy: src: munin/varnish5.conf dest: /etc/munin/plugin-conf.d/varnish5 mode: "0644" diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index e58595a2..87a05092 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -1,18 +1,18 @@ --- - name: set unit name - set_fact: + ansible.builtin.set_fact: vrrp_systemd_unit_name: "vrrp-{{ vrrp_address.id }}.service" - name: add systemd unit - template: + ansible.builtin.template: src: vrrp.service.j2 dest: "/etc/systemd/system/{{ vrrp_systemd_unit_name }}" force: yes register: vrrp_systemd_unit - name: enable and start systemd unit - systemd: + ansible.builtin.systemd: name: "{{ vrrp_systemd_unit_name }}" daemon_reload: yes enabled: yes diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index 44ebe65a..605fb0fd 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: Install Evolix public repositry - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: evolix_public.yml tags: - vrrpd - name: Install vrrpd packages - apt: + ansible.builtin.apt: name: vrrpd=1.0-2.evolix allow_unauthenticated: yes state: present @@ -15,7 +15,7 @@ - vrrpd - name: Adjust sysctl config (except rp_filter) - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/vrrpd.conf @@ -29,14 +29,15 @@ - vrrpd - name: look if rp_filter is managed by minifirewall - command: grep "SYSCTL_RP_FILTER=" /etc/default/minifirewall + ansible.builtin.command: + cmd: grep "SYSCTL_RP_FILTER=" /etc/default/minifirewall failed_when: False changed_when: False check_mode: no register: grep_sysctl_rp_filter_minifirewall - name: Configure SYSCTL_RP_FILTER in minifirewall - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_RP_FILTER='0'" regexp: "SYSCTL_RP_FILTER=('|\").*('|\")" @@ -44,7 +45,7 @@ when: grep_sysctl_rp_filter_minifirewall.rc == 0 - name: Adjust sysctl config (only rp_filter) - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/vrrpd.conf @@ -58,7 +59,7 @@ - vrrpd - name: Create VRRP address - include: ip.yml + ansible.builtin.include: ip.yml loop: "{{ vrrp_addresses }}" loop_control: loop_var: "vrrp_address" \ No newline at end of file diff --git a/webapps/evoadmin-mail/handlers/main.yml b/webapps/evoadmin-mail/handlers/main.yml index beb030e2..a8638ea5 100644 --- a/webapps/evoadmin-mail/handlers/main.yml +++ b/webapps/evoadmin-mail/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: reload apache2 - service: + ansible.builtin.service: name: apache2 state: reloaded - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded - name: reload php-fpm - service: + ansible.builtin.service: name: php7.0-fpm state: reloaded diff --git a/webapps/evoadmin-mail/tasks/apache.yml b/webapps/evoadmin-mail/tasks/apache.yml index f975c5f9..26c2b53b 100644 --- a/webapps/evoadmin-mail/tasks/apache.yml +++ b/webapps/evoadmin-mail/tasks/apache.yml @@ -1,6 +1,6 @@ --- - name: Install evoadminmail VHost - template: + ansible.builtin.template: src: apache_evoadminmail.conf.j2 dest: /etc/apache2/sites-available/evoadminmail.conf notify: reload apache2 @@ -8,7 +8,7 @@ - evoadmin-mail - name: Enable evoadminmail vhost - file: + ansible.builtin.file: src: "/etc/apache2/sites-available/evoadminmail.conf" dest: "/etc/apache2/sites-enabled/evoadminmail.conf" state: link @@ -18,7 +18,7 @@ - evoadmin-mail - name: Disable evoadminmail vhost - file: + ansible.builtin.file: dest: "/etc/apache2/sites-enabled/evoadminmail.conf" state: absent notify: reload apache2 diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index 88f2dbb6..a1018eca 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -1,18 +1,18 @@ --- - name: Remount /usr RW - include_role: + ansible.builtin.include_role: name: evolix/remount-usr - name: Install evoadmin-mail package - apt: + ansible.builtin.apt: deb: /tmp/evoadmin-mail.deb state: present tags: - evoadmin-mail - name: Configure contact mail - ini_file: + community.general.ini_file: dest: /etc/evoadmin-mail/config.ini section: global option: mail @@ -20,16 +20,16 @@ tags: - evoadmin-mail -- include: ssl.yml +- ansible.builtin.include: ssl.yml -- include: apache.yml +- ansible.builtin.include: apache.yml when: evoadminmail_webserver == "apache" -- include: nginx.yml +- ansible.builtin.include: nginx.yml when: evoadminmail_webserver == "nginx" - name: enable evoadmin-mail link in default site index - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html state: present regexp: "EvoAdmin-mail" diff --git a/webapps/evoadmin-mail/tasks/nginx.yml b/webapps/evoadmin-mail/tasks/nginx.yml index 2cb490e8..9b527009 100644 --- a/webapps/evoadmin-mail/tasks/nginx.yml +++ b/webapps/evoadmin-mail/tasks/nginx.yml @@ -1,6 +1,6 @@ --- - name: Copy php-fpm evoadmin-mail pool - copy: + ansible.builtin.copy: src: pool.evoadmin-mail.conf dest: /etc/php/7.0/fpm/pool.d/evoadmin-mail.conf notify: reload php-fpm @@ -8,7 +8,7 @@ - evoadmin-mail - name: Install evoadminmail VHost - template: + ansible.builtin.template: src: nginx_evoadminmail.conf.j2 dest: /etc/nginx/sites-available/evoadminmail.conf notify: reload nginx @@ -16,7 +16,7 @@ - evoadmin-mail - name: Active evoadminmail VHost - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/evoadminmail.conf" dest: "/etc/nginx/sites-enabled/evoadminmail.conf" state: link @@ -26,7 +26,7 @@ - evoadmin-mail - name: Disable evoadminmail vhost - file: + ansible.builtin.file: dest: "/etc/nginx/sites-enabled/evoadminmail.conf" state: absent notify: reload nginx diff --git a/webapps/evoadmin-mail/tasks/ssl.yml b/webapps/evoadmin-mail/tasks/ssl.yml index b6f47127..9d9c9896 100644 --- a/webapps/evoadmin-mail/tasks/ssl.yml +++ b/webapps/evoadmin-mail/tasks/ssl.yml @@ -1,20 +1,21 @@ --- - name: ssl-cert package is installed - apt: + ansible.builtin.apt: name: ssl-cert state: present tags: - evoadmin-mail - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}" + ansible.builtin.command: + cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}" args: creates: "/etc/ssl/private/{{ evoadminmail_host }}.key" tags: - evoadmin-mail - name: Adjust rights on private key - file: + ansible.builtin.file: dest: /etc/ssl/private/{{ evoadminmail_host }}.key owner: root group: ssl-cert @@ -23,7 +24,8 @@ - evoadmin-mail - name: Create certificate for default site - command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt + ansible.builtin.command: + cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt args: creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt" tags: diff --git a/webapps/evoadmin-web/handlers/main.yml b/webapps/evoadmin-web/handlers/main.yml index 669b0553..2c49ce24 100644 --- a/webapps/evoadmin-web/handlers/main.yml +++ b/webapps/evoadmin-web/handlers/main.yml @@ -1,14 +1,15 @@ --- - name: reload apache2 - service: + ansible.builtin.service: name: apache2 state: reloaded - name: restart apache2 - service: + ansible.builtin.service: name: apache2 state: restarted - name: newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases diff --git a/webapps/evoadmin-web/tasks/config.yml b/webapps/evoadmin-web/tasks/config.yml index 1053360c..8c3dc801 100644 --- a/webapps/evoadmin-web/tasks/config.yml +++ b/webapps/evoadmin-web/tasks/config.yml @@ -1,13 +1,13 @@ --- - name: "Create /etc/evolinux" - file: + ansible.builtin.file: dest: "/etc/evolinux" recurse: True state: directory - name: Configure web-add config file - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/evolinux/web-add.conf force: "{{ evoadmin_add_conf_force }}" @@ -21,7 +21,7 @@ register: evoadmin_add_conf_template - name: Configure web-add template file for mail - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ evoadmin_scripts_dir }}/web-mail.tpl" force: "{{ evoadmin_mail_tpl_force }}" diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index 98f275ff..8c400e68 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -1,12 +1,12 @@ --- - name: patch must be installed - apt: + ansible.builtin.apt: name: patch state: present - name: Patch ProFTPd config file - patch: + ansible.posix.patch: remote_src: False src: ftp/evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index 1acb2aa5..19253bf5 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -1,24 +1,24 @@ --- - name: "Ensure that evoadmin_contact_email is defined" - fail: + ansible.builtin.fail: msg: Please configure var evoadmin_contact_email when: evoadmin_contact_email is none or evoadmin_contact_email | length == 0 -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: user.yml +- ansible.builtin.include: user.yml -- include: config.yml +- ansible.builtin.include: config.yml -- include: ssl.yml +- ansible.builtin.include: ssl.yml -- include: web.yml +- ansible.builtin.include: web.yml -- include: ftp.yml +- ansible.builtin.include: ftp.yml - name: enable evoadmin-web link in default site index - blockinfile: + ansible.builtin.blockinfile: dest: /var/www/index.html marker: "" block: | diff --git a/webapps/evoadmin-web/tasks/packages.yml b/webapps/evoadmin-web/tasks/packages.yml index 1d0af87a..d44ca731 100644 --- a/webapps/evoadmin-web/tasks/packages.yml +++ b/webapps/evoadmin-web/tasks/packages.yml @@ -1,16 +1,16 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/apt tasks_from: evolix_public.yml # /!\ Warning, this is a temporary hack -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr # /!\ Warning, this is a temporary hack - name: Install PHP packages from sid (Debian 10) - apt: + ansible.builtin.apt: deb: '{{ item }}' state: present loop: @@ -18,7 +18,7 @@ when: ansible_distribution_major_version is version('10', '=') - name: Install PHP packages from sid (Debian 12) - apt: + ansible.builtin.apt: deb: '{{ item }}' state: present loop: @@ -26,14 +26,14 @@ when: ansible_distribution_major_version is version('12', '=') - name: Install PHP packages - apt: + ansible.builtin.apt: name: - php-pear - php-log state: present - name: Install PHP5 packages (jessie) - apt: + ansible.builtin.apt: name: php5-pam state: present allow_unauthenticated: True diff --git a/webapps/evoadmin-web/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml index 6bdf1421..04fed56c 100644 --- a/webapps/evoadmin-web/tasks/ssl.yml +++ b/webapps/evoadmin-web/tasks/ssl.yml @@ -2,23 +2,25 @@ - name: ssl-cert package is installed - apt: + ansible.builtin.apt: name: ssl-cert state: present - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "/CN={{ evoadmin_host }}" + ansible.builtin.command: + cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "/CN={{ evoadmin_host }}" args: creates: "/etc/ssl/private/{{ evoadmin_host }}.key" - name: Adjust rights on private key - file: + ansible.builtin.file: path: /etc/ssl/private/{{ evoadmin_host }}.key owner: root group: ssl-cert mode: "0640" - name: Create certificate for default site - command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt + ansible.builtin.command: + cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt args: creates: "/etc/ssl/certs/{{ evoadmin_host }}.crt" diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 0d453e9a..96c29803 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -1,7 +1,7 @@ --- - name: Create evoadmin account - user: + ansible.builtin.user: name: evoadmin comment: "Evoadmin Web Account" home: "{{ evoadmin_home_dir }}" @@ -9,30 +9,31 @@ system: yes - name: Create www-evoadmin group - group: + + ansible.builtin.group: name: www-evoadmin state: present - name: "Create www-evoadmin and add to group shadow (jessie)" - user: + ansible.builtin.user: name: www-evoadmin groups: shadow append: True when: ansible_distribution_release == "jessie" - name: "Create www-evoadmin (Debian 9 or later)" - user: + ansible.builtin.user: name: www-evoadmin system: yes when: ansible_distribution_major_version is version('9', '>=') - name: Is /etc/aliases present? - stat: + ansible.builtin.stat: path: /etc/aliases register: etc_aliases - name: Set evoadmin aliases - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases line: "{{ item.line }}" regexp: "{{ item.regexp }}" @@ -44,12 +45,12 @@ when: etc_aliases.stat.exists - name: Git is needed to clone the evoadmin repository - apt: + ansible.builtin.apt: name: git state: present - name: "Clone evoadmin repository (jessie)" - git: + ansible.builtin.git: repo: https://forge.evolix.org/evoadmin-web.git dest: "{{ evoadmin_document_root }}" version: jessie @@ -57,7 +58,7 @@ when: ansible_distribution_release == "jessie" - name: "Clone evoadmin repository (Debian 9 or later)" - git: + ansible.builtin.git: repo: https://forge.evolix.org/evoadmin-web.git dest: "{{ evoadmin_document_root }}" version: master @@ -65,44 +66,46 @@ when: ansible_distribution_major_version is version('9', '>=') - name: Change ownership on git repository - file: + ansible.builtin.file: dest: "{{ evoadmin_document_root }}" owner: "{{ evoadmin_username }}" group: "{{ evoadmin_username }}" recurse: True - name: Create evoadmin log directory - file: + ansible.builtin.file: name: "{{ evoadmin_log_dir }}" owner: "{{ evoadmin_username }}" group: "{{ evoadmin_username }}" state: directory -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: evoadmin_scripts_dir is search("/usr") - name: "Create {{ evoadmin_scripts_dir }}" - file: + ansible.builtin.file: dest: "{{ evoadmin_scripts_dir }}" # recurse: True mode: "0700" state: directory - name: Install scripts like web-add.sh - shell: "cp {{ evoadmin_document_root }}/scripts/* {{ evoadmin_scripts_dir }}/" + ansible.builtin.shell: + cmd: "cp {{ evoadmin_document_root }}/scripts/* {{ evoadmin_scripts_dir }}/" args: creates: "{{ evoadmin_scripts_dir }}/web-add.sh" # we use a shell command to have a "changed" that really reflects the result. - name: Fix permissions - command: "chmod -R --verbose u=rwX,g=rX,o= {{ evoadmin_document_root }}" + ansible.builtin.command: + cmd: "chmod -R --verbose u=rwX,g=rX,o= {{ evoadmin_document_root }}" register: command_result changed_when: "'changed' in command_result.stdout" # failed_when: False - name: Add evoadmin sudoers file - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/sudoers.d/evoadmin mode: "0600" diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index ea4019a3..fc266462 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -1,7 +1,7 @@ --- - name: "Set custom values for PHP config (jessie)" - ini_file: + community.general.ini_file: dest: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -10,7 +10,7 @@ when: ansible_distribution_release == "jessie" - name: "Set custom values for PHP config (Debian 9)" - ini_file: + community.general.ini_file: dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -19,7 +19,7 @@ when: ansible_distribution_release == "stretch" - name: "Set custom values for PHP config (Debian 10)" - ini_file: + community.general.ini_file: dest: /etc/php/7.3/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -28,7 +28,7 @@ when: ansible_distribution_release == "buster" - name: "Set custom values for PHP config (Debian 11)" - ini_file: + community.general.ini_file: dest: /etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -37,7 +37,7 @@ when: ansible_distribution_release == "bullseye" - name: "Set custom values for PHP config (Debian 11)" - ini_file: + community.general.ini_file: dest: /etc/php/8.1/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -46,7 +46,7 @@ when: ansible_distribution_release == "bookworm" - name: Install evoadmin VHost - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/apache2/sites-available/evoadmin.conf force: "{{ evoadmin_force_vhost }}" @@ -61,21 +61,23 @@ notify: reload apache2 - name: Enable evoadmin vhost - command: "a2ensite evoadmin.conf" + ansible.builtin.command: + cmd: "a2ensite evoadmin.conf" register: cmd_a2ensite changed_when: "'Enabling site' in cmd_a2ensite.stdout" notify: reload apache2 when: evoadmin_enable_vhost | bool - name: Disable evoadmin vhost - command: "a2dissite evoadmin.conf" + ansible.builtin.command: + cmd: "a2dissite evoadmin.conf" register: cmd_a2dissite changed_when: "'Disabling site' in cmd_a2dissite.stdout" notify: reload apache2 when: not (evoadmin_enable_vhost | bool) - name: Copy htpasswd for evoadmin - template: + ansible.builtin.template: src: "{{ item }}" dest: "/var/www/.ansible_evoadmin_htpasswd" mode: "0644" @@ -93,7 +95,7 @@ when: evoadmin_htpasswd | bool - name: Copy config file for evoadmin - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ evoadmin_document_root }}/conf/config.local.php" mode: "0640" diff --git a/webapps/nextcloud/handlers/main.yml b/webapps/nextcloud/handlers/main.yml index 46b3b014..6997c361 100644 --- a/webapps/nextcloud/handlers/main.yml +++ b/webapps/nextcloud/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: reload php-fpm - service: + ansible.builtin.service: name: php7.3-fpm state: reloaded - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded - name: reload apache - service: + ansible.builtin.service: name: apache2 state: reloaded \ No newline at end of file diff --git a/webapps/nextcloud/tasks/apache-system.yml b/webapps/nextcloud/tasks/apache-system.yml index 490d2f8d..bbea82a4 100644 --- a/webapps/nextcloud/tasks/apache-system.yml +++ b/webapps/nextcloud/tasks/apache-system.yml @@ -1,16 +1,17 @@ --- - name: "Get PHP Version" - shell: 'php -v | grep "PHP [0-9]." | sed -E "s/PHP ([0-9]\.[0-9]).*/\1/g;"' + ansible.builtin.shell: + cmd: 'php -v | grep "PHP [0-9]." | sed -E "s/PHP ([0-9]\.[0-9]).*/\1/g;"' register: shell_php check_mode: no - name: "Set variables" - set_fact: + ansible.builtin.set_fact: php_version: "{{ shell_php.stdout }}" - name: Apply specific PHP settings (apache) - ini_file: + community.general.ini_file: path: "/etc/php/{{ php_version }}/apache2/conf.d/zzz-evolinux-custom.ini" section: '' option: "{{ item.option }}" @@ -23,7 +24,7 @@ - {option: 'memory_limit', value: '512M'} - name: Apply specific PHP settings (cli) - ini_file: + community.general.ini_file: path: "/etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini" section: '' option: "{{ item.option }}" diff --git a/webapps/nextcloud/tasks/apache-vhost.yml b/webapps/nextcloud/tasks/apache-vhost.yml index e3f213ca..36e5b989 100644 --- a/webapps/nextcloud/tasks/apache-vhost.yml +++ b/webapps/nextcloud/tasks/apache-vhost.yml @@ -1,6 +1,6 @@ --- - name: Copy Apache vhost - template: + ansible.builtin.template: src: apache-vhost.conf.j2 dest: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" mode: "0640" @@ -9,7 +9,7 @@ - nextcloud - name: Enable Apache vhost - file: + ansible.builtin.file: src: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" dest: "/etc/apache2/sites-enabled/{{ nextcloud_instance_name }}.conf" state: link diff --git a/webapps/nextcloud/tasks/archive.yml b/webapps/nextcloud/tasks/archive.yml index d59bd582..47defe79 100644 --- a/webapps/nextcloud/tasks/archive.yml +++ b/webapps/nextcloud/tasks/archive.yml @@ -1,7 +1,7 @@ --- - name: Retrieve Nextcloud archive - get_url: + ansible.builtin.get_url: url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}" dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}" force: no @@ -9,7 +9,7 @@ - nextcloud - name: Retrieve Nextcloud sha256 checksum - get_url: + ansible.builtin.get_url: url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}.sha256" dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}.sha256" force: no @@ -17,7 +17,8 @@ - nextcloud - name: Verify Nextcloud sha256 checksum - command: "sha256sum -c {{ nextcloud_archive_name }}.sha256" + ansible.builtin.command: + cmd: "sha256sum -c {{ nextcloud_archive_name }}.sha256" changed_when: "False" args: chdir: "{{ nextcloud_home }}" @@ -25,7 +26,7 @@ - nextcloud - name: Extract Nextcloud archive - unarchive: + ansible.builtin.unarchive: src: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}" dest: "{{ nextcloud_home }}" creates: "{{ nextcloud_home }}/nextcloud" diff --git a/webapps/nextcloud/tasks/config.yml b/webapps/nextcloud/tasks/config.yml index 85142726..2cc8cd7e 100644 --- a/webapps/nextcloud/tasks/config.yml +++ b/webapps/nextcloud/tasks/config.yml @@ -2,15 +2,16 @@ - block: - name: Generate admin password - command: 'apg -n 1 -m 16 -M lcN' + ansible.builtin.command: + cmd: 'apg -n 1 -m 16 -M lcN' register: nextcloud_admin_password_apg check_mode: no changed_when: False - - debug: + - ansible.builtin.debug: var: nextcloud_admin_password_apg - - set_fact: + - ansible.builtin.set_fact: nextcloud_admin_password: "{{ nextcloud_admin_password_apg.stdout }}" tags: @@ -18,7 +19,8 @@ when: nextcloud_admin_password | length == 0 - name: Get Nextcloud Status - shell: "php ./occ status --output json | grep -v 'Nextcloud is not installed'" + ansible.builtin.shell: + cmd: "php ./occ status --output json | grep -v 'Nextcloud is not installed'" args: chdir: "{{ nextcloud_webroot }}" become_user: "{{ nextcloud_user }}" @@ -28,7 +30,8 @@ - nextcloud - name: Install Nextcloud - command: "php ./occ maintenance:install --database mysql --database-name {{ nextcloud_db_name | mandatory }} --database-user {{ nextcloud_db_user | mandatory }} --database-pass {{ nextcloud_db_pass | mandatory }} --admin-user {{ nextcloud_admin_login | mandatory }} --admin-pass {{ nextcloud_admin_password | mandatory }} --data-dir {{ nextcloud_data | mandatory }}" + ansible.builtin.command: + cmd: "php ./occ maintenance:install --database mysql --database-name {{ nextcloud_db_name | mandatory }} --database-user {{ nextcloud_db_user | mandatory }} --database-pass {{ nextcloud_db_pass | mandatory }} --admin-user {{ nextcloud_admin_login | mandatory }} --admin-pass {{ nextcloud_admin_password | mandatory }} --data-dir {{ nextcloud_data | mandatory }}" args: chdir: "{{ nextcloud_webroot }}" creates: "{{ nextcloud_home }}/config/config.php" @@ -38,7 +41,7 @@ - nextcloud - name: Configure Nextcloud Mysql password - replace: + ansible.builtin.replace: dest: "{{ nextcloud_home }}/nextcloud/config/config.php" regexp: "'dbpassword' => '([^']*)'," replace: "'dbpassword' => '{{ nextcloud_db_pass }}'," @@ -46,7 +49,7 @@ - nextcloud - name: Configure Nextcloud cron - cron: + ansible.builtin.cron: name: 'Nextcloud' minute: "*/5" job: "php -f {{ nextcloud_webroot }}/cron.php" @@ -55,7 +58,8 @@ - nextcloud - name: Erase previously trusted domains config - command: "php ./occ config:system:set trusted_domains" + ansible.builtin.command: + cmd: "php ./occ config:system:set trusted_domains" args: chdir: "{{ nextcloud_webroot }}" become_user: "{{ nextcloud_user }}" @@ -63,7 +67,8 @@ - nextcloud - name: Configure trusted domains - command: "php ./occ config:system:set trusted_domains {{ item.0 }} --value {{ item.1 }}" + ansible.builtin.command: + cmd: "php ./occ config:system:set trusted_domains {{ item.0 }} --value {{ item.1 }}" args: chdir: "{{ nextcloud_webroot }}" with_indexed_items: diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 2823f8f5..02304334 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install dependencies - apt: + ansible.builtin.apt: state: present name: - bzip2 @@ -23,7 +23,7 @@ # dependency for mysql_user and mysql_db - python2 - name: python modules is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: - python-mysqldb - python-pymysql @@ -34,7 +34,7 @@ # dependency for mysql_user and mysql_db - python3 - name: python3 modules is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: - python3-mysqldb - python3-pymysql @@ -43,14 +43,14 @@ - nextcloud when: ansible_python_version is version('3', '>=') -- include: apache-system.yml +- ansible.builtin.include: apache-system.yml -- include: user.yml +- ansible.builtin.include: user.yml -- include: archive.yml +- ansible.builtin.include: archive.yml -- include: apache-vhost.yml +- ansible.builtin.include: apache-vhost.yml -- include: mysql-user.yml +- ansible.builtin.include: mysql-user.yml -- include: config.yml +- ansible.builtin.include: config.yml diff --git a/webapps/nextcloud/tasks/mysql-user.yml b/webapps/nextcloud/tasks/mysql-user.yml index a12a80f4..82c3acb3 100644 --- a/webapps/nextcloud/tasks/mysql-user.yml +++ b/webapps/nextcloud/tasks/mysql-user.yml @@ -1,6 +1,7 @@ --- - name: Get actual Mysql password - shell: "grep password {{ nextcloud_home }}/.my.cnf | awk '{ print $3 }'" + ansible.builtin.shell: + cmd: "grep password {{ nextcloud_home }}/.my.cnf | awk '{ print $3 }'" register: nextcloud_db_pass_grep check_mode: no changed_when: False @@ -9,7 +10,8 @@ - nextcloud - name: Generate Mysql password - command: 'apg -n 1 -m 16 -M lcN' + ansible.builtin.command: + cmd: 'apg -n 1 -m 16 -M lcN' register: nextcloud_db_pass_apg check_mode: no changed_when: False @@ -17,17 +19,17 @@ - nextcloud - name: Set Mysql password - set_fact: + ansible.builtin.set_fact: nextcloud_db_pass: "{{ nextcloud_db_pass_grep.stdout | default(nextcloud_db_pass_apg.stdout, True) }}" tags: - nextcloud -- debug: +- ansible.builtin.debug: var: nextcloud_db_pass verbosity: 1 - name: Create Mysql database - mysql_db: + community.mysql.mysql_db: name: "{{ nextcloud_db_name }}" config_file: "/root/.my.cnf" state: present @@ -35,7 +37,7 @@ - nextcloud - name: Create Mysql user - mysql_user: + community.mysql.mysql_user: name: "{{ nextcloud_db_user }}" password: '{{ nextcloud_db_pass }}' priv: "{{ nextcloud_db_name }}.*:ALL" @@ -46,7 +48,7 @@ - nextcloud - name: Store credentials in my.cnf - ini_file: + community.general.ini_file: dest: "{{ nextcloud_home }}/.my.cnf" owner: "{{ nextcloud_user }}" group: "{{ nextcloud_user }}" diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index 8fa3fee1..01cc037c 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -1,13 +1,14 @@ --- - name: Create {{ nextcloud_user }} unix group - group: + + ansible.builtin.group: name: "{{ nextcloud_user | mandatory }}" state: present tags: - nextcloud - name: Create {{ nextcloud_user | mandatory }} unix user - user: + ansible.builtin.user: name: "{{ nextcloud_user | mandatory }}" group: "{{ nextcloud_user | mandatory }}" home: "{{ nextcloud_home | mandatory }}" @@ -19,7 +20,7 @@ - nextcloud - name: Create top-level directories - file: + ansible.builtin.file: dest: "{{ item }}" state: directory mode: "0700" diff --git a/webapps/roundcube/handlers/main.yml b/webapps/roundcube/handlers/main.yml index 98b530d9..f16ba8d6 100644 --- a/webapps/roundcube/handlers/main.yml +++ b/webapps/roundcube/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart imapproxy - systemd: + ansible.builtin.systemd: name: imapproxy state: restarted - name: reload apache2 - service: + ansible.builtin.service: name: apache2 state: reloaded - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 08fe73d1..17422246 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: configure roundcube-core - debconf: + ansible.builtin.debconf: name: roundcube-core question: "{{ item.key }}" value: "{{ item.value }}" @@ -12,7 +12,7 @@ - roundcube - name: install Roundcube - apt: + ansible.builtin.apt: name: - imapproxy - roundcube @@ -25,7 +25,7 @@ - roundcube - name: configure imapproxy imap host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/imapproxy.conf regexp: "^server_hostname" line: "server_hostname {{ roundcube_imap_host }}" @@ -34,7 +34,7 @@ - roundcube - name: configure imapproxy imap port - lineinfile: + ansible.builtin.lineinfile: dest: /etc/imapproxy.conf regexp: "^server_port" line: "server_port {{ roundcube_imap_port }}" @@ -43,7 +43,7 @@ - roundcube - name: enable and start imapproxy - service: + ansible.builtin.service: name: imapproxy state: started enabled: True @@ -51,7 +51,7 @@ - roundcube - name: configure roundcube imap host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/roundcube/config.inc.php regexp: "\\$config\\['default_host'\\]" line: "$config['default_host'] = array('127.0.0.1');" @@ -59,7 +59,7 @@ - roundcube - name: configure roudcube imap port - lineinfile: + ansible.builtin.lineinfile: dest: /etc/roundcube/config.inc.php regexp: "\\$config\\['default_port'\\]" insertafter: "\\$config\\['default_host'\\]" @@ -68,7 +68,7 @@ - roundcube - name: configure managesieve plugin - copy: + ansible.builtin.copy: src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist dest: /etc/roundcube/plugins/managesieve/config.inc.php mode: "0644" @@ -77,7 +77,7 @@ - roundcube - name: enable default plugins - replace: + ansible.builtin.replace: dest: /etc/roundcube/config.inc.php regexp: "^\\$config\\['plugins'\\] = array\\($" replace: "$config['plugins'] = array('zipdownload','managesieve'" @@ -85,7 +85,7 @@ - roundcube - name: deploy apache roundcube vhost - template: + ansible.builtin.template: src: apache2.conf.j2 dest: /etc/apache2/sites-available/roundcube.conf mode: "0640" @@ -95,7 +95,7 @@ - roundcube - name: enable apache roundcube vhost - file: + ansible.builtin.file: src: /etc/apache2/sites-available/roundcube.conf dest: /etc/apache2/sites-enabled/roundcube.conf state: link @@ -105,14 +105,14 @@ - roundcube - name: deploy Nginx roundcube vhost - template: + ansible.builtin.template: src: nginx.conf.j2 dest: /etc/nginx/sites-available/roundcube.conf when: roundcube_webserver == "nginx" notify: reload nginx - name: enable Nginx roundcube vhost - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/roundcube.conf" dest: "/etc/nginx/sites-enabled/roundcube.conf" state: link @@ -120,7 +120,7 @@ notify: reload nginx - name: enable roundcube link in default site index - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html state: present regexp: "Webmail" diff --git a/webapps/wordpress/tasks/main.yml b/webapps/wordpress/tasks/main.yml index 32eda170..3ef832a8 100644 --- a/webapps/wordpress/tasks/main.yml +++ b/webapps/wordpress/tasks/main.yml @@ -1,34 +1,36 @@ --- - name: Create bin dir - file: + ansible.builtin.file: state: directory dest: "{{ ansible_env.HOME }}/bin" mode: "0750" - name: Download wp-cli - get_url: + ansible.builtin.get_url: url: "https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar" dest: "{{ ansible_env.HOME }}/bin/wp-cli.phar" mode: "0750" - name: Download Wordpress - shell: '{{ wordpress_wpcli }} core download --locale=fr_FR --version={{ wordpress_version }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core download --locale=fr_FR --version={{ wordpress_version }}' args: creates: "{{ ansible_env.HOME }}/www/index.php" - name: Retrieve .my.cnf - fetch: + ansible.builtin.fetch: src: "{{ ansible_env.HOME }}/.my.cnf" dest: "/tmp/wordpress-{{ ansible_user }}.cnf" flat: yes - name: Generate random password - command: apg -n1 -m 12 -M LCN + ansible.builtin.command: + cmd: apg -n1 -m 12 -M LCN register: shell_password changed_when: False - name: Read mysql config from .my.cnf - set_fact: + ansible.builtin.set_fact: db_host: "{{ lookup('ini', 'host section=client file=/tmp/wordpress-{{ ansible_user }}.cnf default=127.0.0.1') }}" db_user: "{{ lookup('ini', 'user section=client file=/tmp/wordpress-{{ ansible_user }}.cnf default={{ ansible_user }}') }}" db_pwd: "{{ lookup('ini', 'password section=client file=/tmp/wordpress-{{ ansible_user }}.cnf') }}" @@ -36,50 +38,57 @@ admin_pwd: "{{ shell_password.stdout }}" - name: Remove local .my.cnf - file: + ansible.builtin.file: path: "/tmp/wordpress-{{ ansible_user }}.cnf" state: absent delegate_to: localhost - name: Configure Wordpress (wp-config.php) - shell: '{{ wordpress_wpcli }} core config --dbhost={{ db_host }} --dbuser={{ db_user }} --dbpass={{ db_pwd }} --dbname={{ db_name }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core config --dbhost={{ db_host }} --dbuser={{ db_user }} --dbpass={{ db_pwd }} --dbname={{ db_name }}' args: creates: "{{ ansible_env.HOME }}/www/wp-config.php" - name: Configure site - shell: '{{ wordpress_wpcli }} core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password="{{ admin_pwd | quote }}" --admin_email={{ wordpress_email }} --skip-email' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password="{{ admin_pwd | quote }}" --admin_email={{ wordpress_email }} --skip-email' changed_when: False - name: Check if Wordpress is up to date - shell: '{{ wordpress_wpcli }} core check-update | grep -q Success' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core check-update | grep -q Success' register: check_version check_mode: no failed_when: False changed_when: check_version.rc == 1 - name: Update Wordpress - shell: '{{ wordpress_wpcli }} core update --version={{ wordpress_version }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core update --version={{ wordpress_version }}' args: removes: "{{ ansible_env.HOME }}/www/index.php" when: check_version.rc == 1 - name: Install default plugin - shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} || {{ wordpress_wpcli }} plugin install {{ item }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} plugin is-installed {{ item }} || {{ wordpress_wpcli }} plugin install {{ item }}' changed_when: False loop: "{{ wordpress_plugins }}" - name: Update default plugins - shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin update {{ item }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin update {{ item }}' changed_when: False loop: "{{ wordpress_plugins }}" - name: Activate default plugins - shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin activate {{ item }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin activate {{ item }}' changed_when: False loop: "{{ wordpress_plugins }}" - name: Send a summary mail - mail: + community.general.mail: host: 'localhost' port: 25 to: "{{ wordpress_email }}" From 70c93310f9ea26ad0f1be3471f056dc958fade52 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Mar 2023 23:48:40 +0100 Subject: [PATCH 24/45] Fix ansible-lint violations --- lxc-php/meta/main.yml | 2 +- mongodb/tasks/main_bookworm.yml | 2 +- php/tasks/main_bookworm.yml | 3 +-- php/tasks/main_bullseye.yml | 3 +-- php/tasks/main_buster.yml | 3 +-- postfix/meta/main.yml | 10 +++++----- postfix/tasks/packmail.yml | 2 +- varnish/tasks/main.yml | 2 +- webapps/nextcloud/tasks/config.yml | 2 +- 9 files changed, 13 insertions(+), 16 deletions(-) diff --git a/lxc-php/meta/main.yml b/lxc-php/meta/main.yml index 88d4c6e9..f0f9bb70 100644 --- a/lxc-php/meta/main.yml +++ b/lxc-php/meta/main.yml @@ -27,4 +27,4 @@ galaxy_info: allow_duplicates: yes -dependencies: [] +dependencies: [] diff --git a/mongodb/tasks/main_bookworm.yml b/mongodb/tasks/main_bookworm.yml index 8261dcb2..ef64f00c 100644 --- a/mongodb/tasks/main_bookworm.yml +++ b/mongodb/tasks/main_bookworm.yml @@ -11,7 +11,7 @@ # - ansible_distribution_release == "bookworm" # - mongodb_version is version('5.0', '<') -- name: Add MongoDB repository +- name: Add MongoDB repository ansible.builtin.template: src: mongodb.sources.j2 dest: /etc/apt/sources.list.d/mongodb.sources diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index d4dd381f..68de60d6 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -3,8 +3,7 @@ - name: "Set php version to 8.2 (Debian 12)" ansible.builtin.set_fact: php_version: "8.2" - when: - - php_sury_enable == false + when: not (php_sury_enable | bool) check_mode: no - name: "Set php config directories (Debian 12)" diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index b12740a7..f8232c45 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -3,8 +3,7 @@ - name: "Set php version to 7.4 if Sury repo is not enabled" ansible.builtin.set_fact: php_version: "7.4" - when: - - php_sury_enable == False + when: not (php_sury_enable | bool) check_mode: no - name: "Set variables (Debian 11)" diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 588d21d5..6a5f1d1a 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -7,8 +7,7 @@ ansible.builtin.set_fact: php_version: "7.3" check_mode: no - when: - - not (php_sury_enable | bool) + when: not (php_sury_enable | bool) - name: "Set variables (Debian 10)" ansible.builtin.set_fact: diff --git a/postfix/meta/main.yml b/postfix/meta/main.yml index 188769a2..b39e6795 100644 --- a/postfix/meta/main.yml +++ b/postfix/meta/main.yml @@ -25,8 +25,8 @@ galaxy_info: # alphanumeric characters. Maximum 20 tags per role. dependencies: - - { role: evolix/ldap, ldap_schema: 'cn4evolix.ldif', when: postfix_packmail == True } - - { role: evolix/spamassasin, when: postfix_packmail == True } - - { role: evolix/clamav, when: postfix_packmail == True } - - { role: evolix/opendkim, when: postfix_packmail == True } - - { role: evolix/dovecot, when: postfix_packmail == True } + - { role: evolix/ldap, ldap_schema: 'cn4evolix.ldif', when: postfix_packmail | bool } + - { role: evolix/spamassasin, when: postfix_packmail | bool } + - { role: evolix/clamav, when: postfix_packmail | bool } + - { role: evolix/opendkim, when: postfix_packmail | bool } + - { role: evolix/dovecot, when: postfix_packmail | bool } diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 170dbd35..be0b075e 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -21,7 +21,7 @@ - name: make sure a service Mailgraph is running ansible.builtin.systemd: name: mailgraph.service - state: started + state: started enabled: true - name: create packmail main.cf diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index b06ab5a2..6cdb92db 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -137,7 +137,7 @@ dest: "{{ varnish_config_file }}" mode: "0644" force: yes - when: "{{ varnish_update_config }}" + when: varnish_update_config | bool loop: "{{ query('first_found', templates) }}" vars: templates: diff --git a/webapps/nextcloud/tasks/config.yml b/webapps/nextcloud/tasks/config.yml index 2cc8cd7e..93b9b925 100644 --- a/webapps/nextcloud/tasks/config.yml +++ b/webapps/nextcloud/tasks/config.yml @@ -36,7 +36,7 @@ chdir: "{{ nextcloud_webroot }}" creates: "{{ nextcloud_home }}/config/config.php" become_user: "{{ nextcloud_user }}" - when: (nc_status.stdout | from_json).installed == false + when: not ((nc_status.stdout | from_json).installed | bool) tags: - nextcloud From 939b2358a3019e1af6d336acc9519b149488d899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Wed, 22 Mar 2023 15:21:58 +0100 Subject: [PATCH 25/45] openvpn: updated the README file --- CHANGELOG.md | 1 + openvpn/README.md | 28 ++++++++++++++++++++-------- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fafbe518..ea1a712f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * apt: with Debian 12, backports are installed but disabled by default +* openvpn: updated the README file ### Fixed diff --git a/openvpn/README.md b/openvpn/README.md index ddaffcce..79ed6246 100644 --- a/openvpn/README.md +++ b/openvpn/README.md @@ -5,17 +5,27 @@ Install and configure OpenVPN, based on [our HowtoOpenVPN wiki](https://wiki.evo ## Tasks Everything is in the `tasks/main.yml` file. -Some manual actions are requested at the end of the playbook, to do before finishing the playbook. -Here is a copy of what is requested : +Here is what this role does : -* You have to manually create the CA on the server with `shellpki init server.example.com`. The command will ask you to create a password, and will ask you again to give the same one several times. -* You have to manually generate the CRL on the server with `openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf`. The previously created password will be asked. -* You have to manually create the server's certificate with `shellpki create server.example.com`. -* You have to adjust the config file `/etc/openvpn/server.conf` for the following parameters : `local` (to check), `cert` (to check), `key` (to add), `server` (to check), `push` (to complete if needed). -* Finally, you can (re)start the OpenVPN service with `systemctl restart openvpn@server.service` on Debian, or `rcctl restart openvpn` on OpenBSD. +* Installs and configures OpenVPN +* Installs and configures shellpki +* Authorizes users in shellpki group to use shellpki with sudo +* Configures NAT if minifirewall exists, for Debian only +* Allows connexion to UDP/1194 port publicly in minifirewall if it exists or in PacketFilter for OpenBSD +* Enables IPv4 forwarding with sysctl +* Configures NRPE to check OpenVPN +* Adds a cron to warn about certificates expiration +* Inits the CA and create the server's certificate -Then, you can use `shellpki` to generate client certificates. +NAT allows servers reached through OpenVPN to be reached by the public IP of the OpenVPN server. The public IP of the OpenVPN server must therefore be allowed on the end servers. + +Some manual actions are requested at the end of the playbook, to do before finishing the playbook : + +* You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn". +* You must take note of the generated CA password and store it in your password manager. + +Finally, you can use `shellpki` to generate client certificates. ## Variables @@ -23,6 +33,8 @@ Then, you can use `shellpki` to generate client certificates. * `openvpn_netmask`: netmask of the network to use for OpenVPN * `openvpn_netmask_cidr`: automatically generated prefix length of the netmask, in CIDR notation +By default, if the server IP is 192.0.2.42, then OpenVPN LAN will be 10.2.42.0/24 (last 2 digit of main IP of server set as 2nd and 3rd digit of OpenVPN LAN). + ## Dependencies * Files in `files/shellpki/*` are gotten from the upstream [shellpki](https://gitea.evolix.org/evolix/shellpki) and must be updated when the upstream is. From 47e35f77d2159109aae4634d079127f91daa0ce1 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 27 Mar 2023 10:16:57 +0200 Subject: [PATCH 26/45] evoacme: Fix syntax that introduced extra ending space --- evoacme/templates/evoacme.conf.j2 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/evoacme/templates/evoacme.conf.j2 b/evoacme/templates/evoacme.conf.j2 index eae3ff45..a42e0782 100644 --- a/evoacme/templates/evoacme.conf.j2 +++ b/evoacme/templates/evoacme.conf.j2 @@ -1,9 +1,9 @@ ### File generated by Ansible ### -SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }} } -ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }} } -CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }} } -CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }} } +SSL_KEY_DIR=${SSL_KEY_DIR:-"{{ evoacme_ssl_key_dir }}"} +ACME_DIR=${ACME_DIR:-"{{ evoacme_acme_dir }}"} +CSR_DIR=${CSR_DIR:-"{{ evoacme_csr_dir }}"} +CRT_DIR=${CRT_DIR:-"{{ evoacme_crt_dir }}"} HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"} -LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }} } -SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }} } +LOG_DIR=${LOG_DIR:-"{{ evoacme_log_dir }}"} +SSL_MINDAY=${SSL_MINDAY:-"{{ evoacme_ssl_minday }}"} From 09f951de181ade87fceaf8409836d99a84cb1c66 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 27 Mar 2023 11:21:25 +0200 Subject: [PATCH 27/45] listupgrade: No removal (especially of the just installed cron_file) needed --- listupgrade/tasks/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index cc5b99aa..f51c0f09 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -58,12 +58,6 @@ month: "{{ listupgrade_cron_month }}" state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}" -- name: Remove old lisupgrade typo - ansible.builtin.cron: - name: "lisupgrade.sh" - cron_file: "listupgrade" - state: absent - - name: old-kernel-autoremoval script is present ansible.builtin.copy: src: old-kernel-autoremoval.sh From 0ed1fb9f0a45955e6dd42777f15e3f66b1f806b9 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 27 Mar 2023 16:13:11 +0200 Subject: [PATCH 28/45] evolinux-base: add wrapper task file for backward compatibility --- evolinux-base/tasks/ssh.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 evolinux-base/tasks/ssh.yml diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml new file mode 100644 index 00000000..2e15ec83 --- /dev/null +++ b/evolinux-base/tasks/ssh.yml @@ -0,0 +1,13 @@ +--- + +# Backward compatibility task file + +- name: SSH configuration (Debian <12) + ansible.builtin.import_tasks: ssh.single-file.yml + when: + - ansible_distribution_major_version is version('12', '<') + +- name: SSH configuration (Debian >=12) + ansible.builtin.import_tasks: ssh.included-files.yml + when: + - ansible_distribution_major_version is version('12', '>=') From 004c85b0ff23a64fe2a36d53322f246a1be38c2c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Mar 2023 23:35:04 +0200 Subject: [PATCH 29/45] typo --- minifirewall/files/minifirewall.conf | 2 +- minifirewall/files/minifirewall.d/zzz-custom | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 1cd73d7f..95043310 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -102,7 +102,7 @@ BACKUPSERVERS='' # # Within included files, you can use those helper functions : # * is_ipv6_enabled: returns true if IPv6 is enabled, or false -# * is_docker_enabled: returns true if Docker mode is eabled, or false +# * is_docker_enabled: returns true if Docker mode is enabled, or false # * is_proxy_enabled: returns true if Proxy mode is enabled , or false diff --git a/minifirewall/files/minifirewall.d/zzz-custom b/minifirewall/files/minifirewall.d/zzz-custom index 7ac24f06..fa0f5374 100644 --- a/minifirewall/files/minifirewall.d/zzz-custom +++ b/minifirewall/files/minifirewall.d/zzz-custom @@ -7,5 +7,5 @@ # # Within included files, you can use those helper functions : # * is_ipv6_enabled: returns true if IPv6 is enabled, or false -# * is_docker_enabled: returns true if Docker mode is eabled, or false +# * is_docker_enabled: returns true if Docker mode is enabled, or false # * is_proxy_enabled: returns true if Proxy mode is enabled , or false From 78c70c1d05e46c09a8d19419a4f5b2b6bd870c30 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Mar 2023 23:36:26 +0200 Subject: [PATCH 30/45] mysql: create log directory for stretch and later --- mysql/tasks/main.yml | 12 +++--------- mysql/tasks/packages_stretch.yml | 29 +++++++++++++++++++++-------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index cc32bff4..73493588 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -4,21 +4,13 @@ ansible.builtin.set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" -- name: Default log directory is present - ansible.builtin.file: - path: /var/log/mysql - owner: mysql - group: adm - mode: "2750" - state: directory - when: ansible_distribution_major_version is version('12', '>=') - - ansible.builtin.include_tasks: packages_stretch.yml when: ansible_distribution_major_version is version('9', '>=') - ansible.builtin.include_tasks: packages_jessie.yml when: ansible_distribution_release == "jessie" + ## There is nothing to do with users on Debian 11+ - yet we need a /root/.my.cnf for compatibility - ansible.builtin.include_tasks: users_bullseye.yml when: ansible_distribution_major_version is version('11', '>=') @@ -32,12 +24,14 @@ - ansible.builtin.include_tasks: users_jessie.yml when: ansible_distribution_release == "jessie" + - ansible.builtin.include_tasks: config_stretch.yml when: ansible_distribution_major_version is version('9', '>=') - ansible.builtin.include_tasks: config_jessie.yml when: ansible_distribution_release == "jessie" + - ansible.builtin.include_tasks: replication.yml when: mysql_replication | bool diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 8853a13c..acd98d2e 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -8,8 +8,21 @@ update_cache: yes state: present tags: - - mysql - - packages + - mysql + - packages + +- name: Default log directory is present + ansible.builtin.file: + path: /var/log/mysql + owner: mysql + group: adm + mode: "2750" + state: directory + notify: restart mysql + tags: + - mysql + - packages + when: ansible_distribution_major_version is version('12', '>=') - name: Install MySQL dev packages ansible.builtin.apt: @@ -17,8 +30,8 @@ update_cache: yes state: present tags: - - mysql - - packages + - mysql + - packages when: mysql_install_libclient | bool - name: MySQL is started @@ -26,16 +39,16 @@ name: mysql state: started tags: - - mysql - - services + - mysql + - services - name: apg package is installed ansible.builtin.apt: name: apg state: present tags: - - mysql - - packages + - mysql + - packages - name: Python2 dependencies for Ansible are installed ansible.builtin.apt: From a999ac20da540f2de3fd912a3f0d6b2053e65925 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Mar 2023 23:36:35 +0200 Subject: [PATCH 31/45] fqcn --- tomcat-instance/tasks/check.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tomcat-instance/tasks/check.yml b/tomcat-instance/tasks/check.yml index 3273b802..e172d5c3 100644 --- a/tomcat-instance/tasks/check.yml +++ b/tomcat-instance/tasks/check.yml @@ -22,4 +22,5 @@ - check_port_uid.stdout != "{{ tomcat_instance_name }}" #- name: Check use of http port -# command: grep ' Date: Wed, 29 Mar 2023 11:41:26 +0200 Subject: [PATCH 32/45] generate-ldif: Support for Debian 12 The script required few changes to adapt to the new output of lscpu & usage of lspci lscpu - Multiple Vendor ID fields (CPU & Bios) > We keep the first one tied to the CPU info - No more CPU Speed displayed for virtual machines. We guess the CPU Speed with the CPU Name (Thanks intel puting it in the CPU Name). But that's not going to work with AMD CPUs. An alternative would be to have a peek at /proc/cpu lspci - Remove the "0x" prefix as it seems invalid with lscpi version on Debian 12. On older debian, vendor/device id are accepted with or without the "0x" prefix --- CHANGELOG.md | 2 ++ generate-ldif/templates/generateldif.sh.j2 | 24 +++++++++++----------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea1a712f..65fc4ab1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* generate-ldif: Support for Debian 12 + ### Removed ### Security diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 229c1443..e306f075 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -40,27 +40,27 @@ if [ "$type" = "kvm" ]; then HardwareMark="KVM" HardwareModel="Virtual Machine" - cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3) - cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" - cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz" + cpuMark=$(lscpu | grep "Vendor ID:" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3) + cpuModel="Virtual $(lscpu | grep "Model name" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" + cpuFreq="$(lscpu | grep "GHz" | head -n1 | tr -s '\t' ' ' | cut -d'@' -f2 | tr -d ' ')" elif [ "$type" = "vmware" ]; then ComputerType="VM" HardwareMark="VMWare" HardwareModel="Virtual Machine" - cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3) - cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" - cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz" + cpuMark=$(lscpu | grep "Vendor ID:" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3) + cpuModel="Virtual $(lscpu | grep "Model name" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" + cpuFreq="$(lscpu | grep "GHz" | head -n1 | tr -s '\t' ' ' | cut -d'@' -f2 | tr -d ' ')" elif [ "$type" = "virtualbox" ]; then ComputerType="VM" HardwareMark="VirtualBox" HardwareModel="Virtual Machine" - cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3) - cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" - cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz" + cpuMark=$(lscpu | grep "Vendor ID:" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3) + cpuModel="Virtual $(lscpu | grep "Model name" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" + cpuFreq="$(lscpu | grep "GHz" | head -n1 | tr -s '\t' ' ' | cut -d'@' -f2 | tr -d ' ')" else ComputerType="Baremetal" HardwareModel=$(dmidecode -s system-product-name | grep -v '^#') @@ -307,10 +307,10 @@ for net in $(ls /sys/class/net); do hw=$(cat ${path}/address) # In some cases some devices does not have a vendor or device, skip it test -f ${path}/device/vendor || continue - vendor_id=$(cat ${path}/device/vendor) + vendor_id=$(cat ${path}/device/vendor | sed -E 's/^0x//g') test -f ${path}/device/device || continue - dev_id=$(cat ${path}/device/device) - [ "${dev_id}" = "0x0001" ] && dev_id="0x1000" + dev_id=$(cat ${path}/device/device | sed -E 's/^0x//g') + [ "${dev_id}" = "0001" ] && dev_id="1000" dev=$(lspci -d "${vendor_id}:${dev_id}" -vm) vendor=$(echo "${dev}" | grep -E "^Vendor" | cut -d':' -f2 | xargs) model=$(echo "${dev}" | grep -E "^Vendor" -A1 | grep -E "^Device" | cut -d':' -f2 | xargs) From d37f6c0e3fd7ccddd1b4f7a889714f862a9d40e5 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 30 Mar 2023 13:19:13 +0200 Subject: [PATCH 33/45] PgBouncer: add handler (restart) --- CHANGELOG.md | 1 + pgbouncer/handlers/main.yml | 5 +++++ pgbouncer/tasks/main.yml | 3 +++ 3 files changed, 9 insertions(+) create mode 100644 pgbouncer/handlers/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 65fc4ab1..51ce155e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * apt: with Debian 12, backports are installed but disabled by default * openvpn: updated the README file +* pgbouncer: add handler to restart the service ### Fixed diff --git a/pgbouncer/handlers/main.yml b/pgbouncer/handlers/main.yml new file mode 100644 index 00000000..f539a226 --- /dev/null +++ b/pgbouncer/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart PgBouncer + ansible.builtin.systemd: + name: pgbouncer.service + state: restarted diff --git a/pgbouncer/tasks/main.yml b/pgbouncer/tasks/main.yml index fefef4e1..1d76931f 100644 --- a/pgbouncer/tasks/main.yml +++ b/pgbouncer/tasks/main.yml @@ -7,11 +7,14 @@ ansible.builtin.lineinfile: path: /etc/default/pgbouncer line: ulimit -n 65536 + notify: Restart PgBouncer - name: Add config file for PgBouncer ansible.builtin.template: src: pgbouncer.ini.j2 dest: /etc/pgbouncer/pgbouncer.ini + notify: Restart PgBouncer - name: Populate userlist.txt ansible.builtin.template: src: userlist.txt.j2 dest: /etc/pgbouncer/userlist.txt + notify: Restart PgBouncer From ce247dba5668806bdb4000977bccb32726d0b287 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 30 Mar 2023 17:58:30 +0200 Subject: [PATCH 34/45] Add role for Graylog --- CHANGELOG.md | 2 + graylog/README.md | 18 +++++++ graylog/defaults/main.yml | 5 ++ graylog/tasks/main.yml | 100 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 125 insertions(+) create mode 100644 graylog/README.md create mode 100644 graylog/defaults/main.yml create mode 100644 graylog/tasks/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 51ce155e..0a307be6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* graylog: new role + ### Changed * apt: with Debian 12, backports are installed but disabled by default diff --git a/graylog/README.md b/graylog/README.md new file mode 100644 index 00000000..1ad4e712 --- /dev/null +++ b/graylog/README.md @@ -0,0 +1,18 @@ +# Graylog + +Installation and basic configuration of Graylog. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +Main variables are : + +* `graylog_version`: the Graylog version to install (default: `5.0`), +* `graylog_listen_ip`: the listen IP for Graylog (default: `"127.0.0.1"`), +* `graylog_listen_port`: the listen port for Graylog (default: `9000`), +* `graylog_custom_datadir`: the Graylog data directory (default: `""`, the empty string). + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/graylog/defaults/main.yml b/graylog/defaults/main.yml new file mode 100644 index 00000000..26ed02ea --- /dev/null +++ b/graylog/defaults/main.yml @@ -0,0 +1,5 @@ +--- +graylog_version: "5.0" +graylog_listen_ip: "127.0.0.1" +graylog_listen_port: 9000 +graylog_custom_datadir: "" diff --git a/graylog/tasks/main.yml b/graylog/tasks/main.yml new file mode 100644 index 00000000..66e1b5c3 --- /dev/null +++ b/graylog/tasks/main.yml @@ -0,0 +1,100 @@ +--- + +- name: Dependencies are installed + ansible.builtin.apt: + name: + - apt-transport-https + - openjdk-11-jre-headless + - uuid-runtime + - pwgen + - dirmngr + - gnupg + - wget + update_cache: yes + +- name: Elasticsearch is configured + ansible.builtin.lineinfile: + dest: '/etc/elasticsearch/elasticsearch.yml' + line: 'action.auto_create_index: false' + register: es_config + +- name: Elasticsearch is restarted + ansible.builtin.systemd: + name: elasticsearch + state: restarted + when: es_config is changed + +- name: Graylog repository is installed + ansible.builtin.apt: + deb: 'https://packages.graylog2.org/repo/packages/graylog-{{ graylog_version }}-repository_latest.deb' + +- name: Graylog is installed + ansible.builtin.apt: + name: + - graylog-server + update_cache: yes + +- name: Graylog password_secret is set + ansible.builtin.replace: + dest: '/etc/graylog/server/server.conf' + regexp: '^(password_secret =)$' + replace: '\1 {{ lookup("ansible.builtin.password", "/dev/null chars=ascii_lowercase,digits length=96") }}' + +- name: Graylog root_password_sha2 is set + ansible.builtin.replace: + dest: '/etc/graylog/server/server.conf' + regexp: '^(root_password_sha2 =)$' + replace: '\1 {{ graylog_root_password_sha2 }}' + when: graylog_root_password_sha2 is defined + +- name: Graylog http_bind_address is set + ansible.builtin.lineinfile: + dest: '/etc/graylog/server/server.conf' + line: 'http_bind_address = {{ graylog_listen_ip }}:{{ graylog_listen_port }}' + +- block: + - name: "Is {{ graylog_custom_datadir }} present ?" + ansible.builtin.stat: + path: "{{ graylog_custom_datadir }}" + check_mode: no + register: graylog_custom_datadir_test + + - name: "read the real datadir" + ansible.builtin.command: + cmd: readlink -f /var/lib/graylog-server + changed_when: False + check_mode: no + register: graylog_current_real_datadir_test + when: graylog_custom_datadir is defined and graylog_custom_datadir | length > 0 + +- block: + - name: Graylog is stopped + ansible.builtin.service: + name: graylog-server + state: stopped + + - name: Move Graylog datadir to {{ graylog_custom_datadir }} + ansible.builtin.command: + cmd: mv {{ graylog_current_real_datadir_test.stdout }} {{ graylog_custom_datadir }} + args: + creates: "{{ graylog_custom_datadir }}" + + - name: Symlink {{ graylog_custom_datadir }} to /var/lib/graylog-server + ansible.builtin.file: + src: "{{ graylog_custom_datadir }}" + dest: '/var/lib/graylog-server' + state: link + when: + - graylog_custom_datadir | length > 0 + - graylog_custom_datadir != graylog_current_real_datadir_test.stdout + - not graylog_custom_datadir_test.stat.exists + +- name: Graylog is started + ansible.builtin.service: + name: graylog-server + state: started + +- name: Graylog is enabled + ansible.builtin.service: + name: graylog-server + enabled: yes From c157450a2c9bc43af6ec089cb5e8508a2b26216a Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 27 Mar 2023 12:02:22 +0200 Subject: [PATCH 35/45] =?UTF-8?q?d=C3=A9but=20creation=20r=C3=B4le=20patro?= =?UTF-8?q?ni?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- patroni/README.md | 4 ++ patroni/defaults/main.yml | 20 +++++++++ patroni/meta/main.yml | 31 +++++++++++++ patroni/tasks/backports.yml | 27 ++++++++++++ patroni/tasks/config.yml | 18 ++++++++ patroni/tasks/main.yml | 6 +++ patroni/tasks/packages.yml | 8 ++++ patroni/templates/patroni.conf.j2 | 73 +++++++++++++++++++++++++++++++ patroni/templates/patroni.pref.j2 | 3 ++ 9 files changed, 190 insertions(+) create mode 100644 patroni/README.md create mode 100644 patroni/defaults/main.yml create mode 100644 patroni/meta/main.yml create mode 100644 patroni/tasks/backports.yml create mode 100644 patroni/tasks/config.yml create mode 100644 patroni/tasks/main.yml create mode 100644 patroni/tasks/packages.yml create mode 100644 patroni/templates/patroni.conf.j2 create mode 100644 patroni/templates/patroni.pref.j2 diff --git a/patroni/README.md b/patroni/README.md new file mode 100644 index 00000000..e3999617 --- /dev/null +++ b/patroni/README.md @@ -0,0 +1,4 @@ +# Patroni + +Installation and basic configuration of Patroni. + diff --git a/patroni/defaults/main.yml b/patroni/defaults/main.yml new file mode 100644 index 00000000..5ceee3ba --- /dev/null +++ b/patroni/defaults/main.yml @@ -0,0 +1,20 @@ +--- + +# Install Patroni from backport Evolix +patroni_backport: false + +# Define variable for Patroni + +cluster_name: "mycluster" +patroni_restapi_listen: "127.0.0.1" +patroni_port: "8008" +postgresql_hosts_cluster: [] +postgresql_host: 127.0.0.1 +postgresql_version: '' +postgresql_replication_user: 'repl' +postgresql_superuser: 'admin' + +# Define variable for etcd +etcd_hosts: [] +etcd_port: "2379" + diff --git a/patroni/meta/main.yml b/patroni/meta/main.yml new file mode 100644 index 00000000..dffff81a --- /dev/null +++ b/patroni/meta/main.yml @@ -0,0 +1,31 @@ +galaxy_info: + company: Evolix + description: Installation and basic configuration of Patroni + + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: "2.7" + + platforms: + - name: Debian + versions: + - buster + - bullseye + - bookworm + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. + diff --git a/patroni/tasks/backports.yml b/patroni/tasks/backports.yml new file mode 100644 index 00000000..43e76f22 --- /dev/null +++ b/patroni/tasks/backports.yml @@ -0,0 +1,27 @@ +--- + +- name: Add Evolix GPG key + ansible.builtin.copy: + src: pub_evolix.asc + dest: "{{ apt_keyring_dir }}/pub_evolix.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Evolix backports repository + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-backports main" + filename: backports.list + state: present + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + +- name: Add APT preference file + ansible.builtin.template: + src: patroni.pref.j2 + dest: /etc/apt/preferences.d/patroni.pref + mode: "0644" + diff --git a/patroni/tasks/config.yml b/patroni/tasks/config.yml new file mode 100644 index 00000000..54a19c0e --- /dev/null +++ b/patroni/tasks/config.yml @@ -0,0 +1,18 @@ +--- + +- name: Create a password for PostgreSQL repl user + command: "apg -a 0 -m 16" + register: postgresql_replication_password + +- name: Create a password for PostgreSQL superuser user + command: "apg -a 0 -m 16" + register: postgresql_superuser_password + +- name: Create Patroni config file + ansible.builtin.template: + src: patroni.conf.j2 + dest: /etc/patroni/config-{{ cluster_name }}.yml + owner: root + group: root + mode: "0644" + diff --git a/patroni/tasks/main.yml b/patroni/tasks/main.yml new file mode 100644 index 00000000..05f82a89 --- /dev/null +++ b/patroni/tasks/main.yml @@ -0,0 +1,6 @@ +--- + +- ansible.builtin.import_tasks: packages.yml + +- ansible.builtin.import_tasks: backports.yml + when: patroni_backport: | bool diff --git a/patroni/tasks/packages.yml b/patroni/tasks/packages.yml new file mode 100644 index 00000000..198dcb7b --- /dev/null +++ b/patroni/tasks/packages.yml @@ -0,0 +1,8 @@ +--- + +- name: Install patroni package + ansible.builtin.apt: + name: + - patroni + update_cache: yes + diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 new file mode 100644 index 00000000..c88c96fb --- /dev/null +++ b/patroni/templates/patroni.conf.j2 @@ -0,0 +1,73 @@ +scope: {{ cluster_name }} +name: {{ cluster_name }} + +restapi: + listen: {{ patroni_restapi_listen }}:{{ patroni_port }} + connect_address: {{ patroni_restapi_listen }}:{{ patroni_port }} + +etcd: + hosts: + - {{ etcd_hosts }}:{{ etcd_port }} + - {{ etcd_hosts }}:{{ etcd_port }} + - {{ etcd_hosts }}:{{ etcd_port }} + +bootstrap: + dcs: + ttl: 30 + loop_wait: 10 + retry_timeout: 10 + maximum_lag_on_failover: 1048576 + postgresql: + use_pg_rewind: true + use_slots: true + parameters: + wal_level: replica + hot_standby: "on" + wal_keep_segment: 8 + max_wal_senders: 5 + max_relication_slots: 5 + checkpoint_timeout: 30 + + initdb: + - encoding: UTF8 + - data-checksums + + pg_hba: + - host replication repl 127.0.0.1/32 md5 + - host replication repl {{ postgresql_hosts_cluster }}/0 md5 + - host replication repl {{ postgresql_hosts_cluster }}/0 md5 + - host replication repl {{ postgresql_hosts_cluster }}/0 md5 + - host all all 0.0.0.0/0 md5 + + users: + {{ postgresql_superuser }}: + password: {{ postgresql_superuser_password }} + options: + - createrole + - createdb + {{ postgresql_replication_user }}: + password: {{ postgresql_replication_password }} + options: + - replication + +postgresql: + listen: {{ postgresql_host }}:{{ postgresql_port }} + connect_address: {{ postgresql_host }}:{{ postgresql_port }} + bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ + data_dir: /home/{{ cluster_name }} + pgpass: /tmp/{{ cluster_name }}-pgpass + authentication: + replication: + username: {{ postgresql_replication_user }} + password: {{ postgresql_replication_password }} + superuser: + username: {{ postgresql_superuser }} + password: {{ postgresql_superuser_password }} + parameters: + unix_socket_directories: '/tmp' + +tags: + nofailover: false + noloadbalance: false + clonefrom: false + nosync: false diff --git a/patroni/templates/patroni.pref.j2 b/patroni/templates/patroni.pref.j2 new file mode 100644 index 00000000..6e6dd081 --- /dev/null +++ b/patroni/templates/patroni.pref.j2 @@ -0,0 +1,3 @@ +Package: patroni +Pin: release a={{ ansible_distribution_release }}-backports +Pin-Priority: 999 From 7d75ed1a968cf13fdb68da6c640903eedd00a938 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 30 Mar 2023 18:23:46 +0200 Subject: [PATCH 36/45] Add key GPG evolix, and fix some bugs --- patroni/files/pub_evolix.asc | 87 +++++++++++++++++++++++++++++++ patroni/tasks/config.yml | 4 +- patroni/tasks/main.yml | 7 +-- patroni/templates/patroni.conf.j2 | 32 ++++++------ 4 files changed, 109 insertions(+), 21 deletions(-) create mode 100644 patroni/files/pub_evolix.asc diff --git a/patroni/files/pub_evolix.asc b/patroni/files/pub_evolix.asc new file mode 100644 index 00000000..4a21bdfe --- /dev/null +++ b/patroni/files/pub_evolix.asc @@ -0,0 +1,87 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N +YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN +OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV +Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw +ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7 +7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11 +mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma +dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3 +huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm +vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk ++XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB +tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy +PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A +BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy +x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq +yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7 +D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt +c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N +q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F +btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ +ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa +C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D +jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp +5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo +JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3 +Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F +5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o +aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba +mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp +g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs +h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M +Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb +sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A +5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A +etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8 +smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ +Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX +mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F +V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT +foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7 +b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5 +FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI +7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb ++dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc +fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF +bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR +Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+ +7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/ +RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc +8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX +fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd +gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/ +YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1 +4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL +1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK +3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj +9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB +jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC +LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG +j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H +BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M +jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q +BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym +Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6 +lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH +El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV +sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp +IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz +DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM +G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0 +IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs +UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac +lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm +AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r +adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf +SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v +2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz +kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg +2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad +OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf +nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk +jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH +oA9QflpnDubMnCve +=ZCml +-----END PGP PUBLIC KEY BLOCK----- diff --git a/patroni/tasks/config.yml b/patroni/tasks/config.yml index 54a19c0e..f48959b9 100644 --- a/patroni/tasks/config.yml +++ b/patroni/tasks/config.yml @@ -1,11 +1,11 @@ --- - name: Create a password for PostgreSQL repl user - command: "apg -a 0 -m 16" + command: "apg -M LCN -n1 -m 16" register: postgresql_replication_password - name: Create a password for PostgreSQL superuser user - command: "apg -a 0 -m 16" + command: "apg -M LCN -n1 -m 16" register: postgresql_superuser_password - name: Create Patroni config file diff --git a/patroni/tasks/main.yml b/patroni/tasks/main.yml index 05f82a89..36b4eb41 100644 --- a/patroni/tasks/main.yml +++ b/patroni/tasks/main.yml @@ -1,6 +1,7 @@ --- -- ansible.builtin.import_tasks: packages.yml - - ansible.builtin.import_tasks: backports.yml - when: patroni_backport: | bool + when: patroni_backport | bool + +- ansible.builtin.import_tasks: packages.yml +- ansible.builtin.import_tasks: config.yml diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 index c88c96fb..c4eae345 100644 --- a/patroni/templates/patroni.conf.j2 +++ b/patroni/templates/patroni.conf.j2 @@ -1,15 +1,15 @@ scope: {{ cluster_name }} -name: {{ cluster_name }} +name: {{ cluster_name_host }} restapi: - listen: {{ patroni_restapi_listen }}:{{ patroni_port }} - connect_address: {{ patroni_restapi_listen }}:{{ patroni_port }} + listen: {{ patroni_restapi_listen }}:{{ patroni_restapi_port }} + connect_address: {{ patroni_restapi_listen }}:{{ patroni_restapi_port }} etcd: hosts: - - {{ etcd_hosts }}:{{ etcd_port }} - - {{ etcd_hosts }}:{{ etcd_port }} - - {{ etcd_hosts }}:{{ etcd_port }} +{% for server in groups['etcd'] %} + - {{ hostvars[server]['etcd_host'] }}:{{ etcd_client_port }} +{% endfor %} bootstrap: dcs: @@ -34,35 +34,35 @@ bootstrap: pg_hba: - host replication repl 127.0.0.1/32 md5 - - host replication repl {{ postgresql_hosts_cluster }}/0 md5 - - host replication repl {{ postgresql_hosts_cluster }}/0 md5 - - host replication repl {{ postgresql_hosts_cluster }}/0 md5 +{% for server in groups['patroni'] %} + - host replication repl {{ hostvars[server]['postgresql_hosts_cluster'] }}/0 md5 +{% endfor %} - host all all 0.0.0.0/0 md5 users: {{ postgresql_superuser }}: - password: {{ postgresql_superuser_password }} + password: {{ postgresql_superuser_password.stdout }} options: - createrole - createdb {{ postgresql_replication_user }}: - password: {{ postgresql_replication_password }} + password: {{ postgresql_replication_password.stdout }} options: - replication postgresql: listen: {{ postgresql_host }}:{{ postgresql_port }} connect_address: {{ postgresql_host }}:{{ postgresql_port }} - bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ - data_dir: /home/{{ cluster_name }} - pgpass: /tmp/{{ cluster_name }}-pgpass + bin_dir: /var/lib/postgresql/{{ postgresql_version }}/bin/ + data_dir: /home/{{ cluster_name_host }} + pgpass: /tmp/{{ cluster_name_host }}-pgpass authentication: replication: username: {{ postgresql_replication_user }} - password: {{ postgresql_replication_password }} + password: {{ postgresql_replication_password.stdout }} superuser: username: {{ postgresql_superuser }} - password: {{ postgresql_superuser_password }} + password: {{ postgresql_superuser_password.stdout }} parameters: unix_socket_directories: '/tmp' From 8ec5c79ca1028dbae749d15e7f25f88eb669cc6b Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 3 Apr 2023 14:45:17 +0200 Subject: [PATCH 37/45] Add new role Patroni in CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a307be6..4afd0a00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * graylog: new role +* Patroni: new role for install Patroni cluster ### Changed From b7723cfe69f4c471c0b70823dce11eaacd53d175 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 3 Apr 2023 17:21:14 +0200 Subject: [PATCH 38/45] fix bin_dir variable --- patroni/templates/patroni.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 index c4eae345..d60272a8 100644 --- a/patroni/templates/patroni.conf.j2 +++ b/patroni/templates/patroni.conf.j2 @@ -53,7 +53,7 @@ bootstrap: postgresql: listen: {{ postgresql_host }}:{{ postgresql_port }} connect_address: {{ postgresql_host }}:{{ postgresql_port }} - bin_dir: /var/lib/postgresql/{{ postgresql_version }}/bin/ + bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ data_dir: /home/{{ cluster_name_host }} pgpass: /tmp/{{ cluster_name_host }}-pgpass authentication: From 23b26fa239340230ae07b9cb8c50cc364fda24d5 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 3 Apr 2023 17:33:12 +0200 Subject: [PATCH 39/45] changement variable postgresql_hosts --- patroni/defaults/main.yml | 3 ++- patroni/templates/patroni.conf.j2 | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/patroni/defaults/main.yml b/patroni/defaults/main.yml index 5ceee3ba..85ead1b1 100644 --- a/patroni/defaults/main.yml +++ b/patroni/defaults/main.yml @@ -9,7 +9,8 @@ cluster_name: "mycluster" patroni_restapi_listen: "127.0.0.1" patroni_port: "8008" postgresql_hosts_cluster: [] -postgresql_host: 127.0.0.1 +postgresql_listen_ips: 127.0.0.1 +postgresql_connect_ip: 127.0.0.1 postgresql_version: '' postgresql_replication_user: 'repl' postgresql_superuser: 'admin' diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 index d60272a8..2dc23a28 100644 --- a/patroni/templates/patroni.conf.j2 +++ b/patroni/templates/patroni.conf.j2 @@ -51,8 +51,8 @@ bootstrap: - replication postgresql: - listen: {{ postgresql_host }}:{{ postgresql_port }} - connect_address: {{ postgresql_host }}:{{ postgresql_port }} + listen: {{ postgresql_listen_ips }}:{{ postgresql_port }} + connect_address: {{ postgresql_connect_ip }}:{{ postgresql_port }} bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ data_dir: /home/{{ cluster_name_host }} pgpass: /tmp/{{ cluster_name_host }}-pgpass From 956e644ac458bc12c9a5b8fb656d440dc93ac6f8 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 7 Apr 2023 11:00:13 +0200 Subject: [PATCH 40/45] evocheck: upstream release 23.04 --- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 16 +++++++++++----- evocheck/files/evocheck.wheezy.sh | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index 5d1a186e..6fb3d3d7 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.03.01" +VERSION="23.04" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 647192cc..d907a54f 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.03.01" +VERSION="23.04" readonly VERSION # base functions @@ -146,10 +146,16 @@ check_dpkgwarning() { || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" } # Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option. -check_localhost_in_postfix_mydestination() { +check_postfix_mydestination() { # shellcheck disable=SC2016 - if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp '(localhost[^\\.]|localhost.localdomain|localhost.$mydomain)'; then - failed "IS_LOCALHOST_IN_POSTFIX_MYDESTINATION" "'localhost' and/or 'localhost.localdomain' and/or 'localhost.\$mydomain' are missing in Postfix mydestination option. Consider adding then." + if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost([[:blank:]]|$)'; then + failed "IS_POSTFIX_MYDESTINATION" "'localhost' s missing in Postfix mydestination option." + fi + if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost.localdomain'; then + failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option." + fi + if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost.$mydomain'; then + failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option." fi } # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) @@ -1389,7 +1395,7 @@ main() { test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning - test "${IS_LOCALHOST_IN_POSTFIX_MYDESTINATION:=1}" = 1 && check_localhost_in_postfix_mydestination + test "${IS_POSTFIX_MYDESTINATION:=1}" = 1 && check_postfix_mydestination test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index cd038268..b9ac86e6 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.03.01" +VERSION="23.04" readonly VERSION # base functions From 0c2e06de33df24ce776304eeecf756ea22724959 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 7 Apr 2023 11:53:30 +0200 Subject: [PATCH 41/45] evocheck: upstream release 23.04.01 --- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 6 +++--- evocheck/files/evocheck.wheezy.sh | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index 6fb3d3d7..05b5f8d1 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.04" +VERSION="23.04.01" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index d907a54f..52441988 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.04" +VERSION="23.04.01" readonly VERSION # base functions @@ -151,10 +151,10 @@ check_postfix_mydestination() { if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost([[:blank:]]|$)'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost' s missing in Postfix mydestination option." fi - if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost.localdomain'; then + if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost\.localdomain'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option." fi - if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost.$mydomain'; then + if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost\.\$mydomain'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option." fi } diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index b9ac86e6..461540b3 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.04" +VERSION="23.04.01" readonly VERSION # base functions From 602bb22984e13be8fc89e3c1fbc2cacd49422fc4 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 13 Apr 2023 09:55:35 +0200 Subject: [PATCH 42/45] Add template systemd for patroni --- patroni/tasks/config.yml | 8 ++++++++ patroni/templates/patroni.service.j2 | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 patroni/templates/patroni.service.j2 diff --git a/patroni/tasks/config.yml b/patroni/tasks/config.yml index f48959b9..4d44e285 100644 --- a/patroni/tasks/config.yml +++ b/patroni/tasks/config.yml @@ -16,3 +16,11 @@ group: root mode: "0644" +- mane: Create Systemd Unit for Patroni + ansible.builtin.template: + src: patroni.service.j2 + dest: /etc/systemd/system/patroni.service + owner: root + group: root + mode: "0644" + diff --git a/patroni/templates/patroni.service.j2 b/patroni/templates/patroni.service.j2 new file mode 100644 index 00000000..6f9e1521 --- /dev/null +++ b/patroni/templates/patroni.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Runners to orchestrate a high-availability PostgreSQL +After=syslog.target network.target + +[Service] +Type=simple + +User=postgres +Group=postgres + +ExecStart=/usr/bin/patroni /etc/patroni/config-{{ cluster_name }}.yml +KillMode=process +TimeoutSec=30 +Restart=no + +[Install] +WantedBy=multi-user.targ From e8c7d2c3e367ed0bb555ea08818f206fcd87070d Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Mon, 20 Mar 2023 18:00:22 +0100 Subject: [PATCH 43/45] lxc-php: add support for PHP 8.2 container --- CHANGELOG.md | 1 + evolinux-users/templates/sudoers_stretch.j2 | 1 + lxc-php/defaults/main.yml | 6 +-- lxc-php/handlers/main.yml | 5 ++ lxc-php/tasks/main.yml | 4 +- lxc-php/tasks/php82.yml | 53 +++++++++++++++++---- 6 files changed, 56 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4afd0a00..1528a40d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * graylog: new role * Patroni: new role for install Patroni cluster +* lxc-php: add support for PHP 8.2 container ### Changed diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 index 287483d9..29a22da7 100644 --- a/evolinux-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -14,6 +14,7 @@ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index d27f60f2..17af05cf 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -21,7 +21,7 @@ lxc_php_container_releases: php74: "bullseye" php80: "bullseye" php81: "bullseye" - # php82: "bookworm" + php82: "bullseye" lxc_php_services: php56: 'php5-fpm.service' @@ -30,6 +30,6 @@ lxc_php_services: php74: 'php7.4-fpm.service' php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' - # php82: 'php8.2-fpm.service' + php82: 'php8.2-fpm.service' -apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index 1a2d7a6e..b703933b 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -10,6 +10,11 @@ name: "{{ lxc_php_version }}" container_command: "systemctl restart {{ lxc_php_services[lxc_php_version] }}" +- name: Reload php82-fpm + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl reload php8.2-fpm" + - name: Reload php81-fpm community.general.lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index c3d58eba..035bfe15 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -39,8 +39,8 @@ - ansible.builtin.import_tasks: "php81.yml" when: lxc_php_version == "php81" -# - ansible.builtin.import_tasks: "php82.yml" -# when: lxc_php_version == "php82" +- ansible.builtin.import_tasks: "php82.yml" + when: lxc_php_version == "php82" - ansible.builtin.import_tasks: "umask.yml" diff --git a/lxc-php/tasks/php82.yml b/lxc-php/tasks/php82.yml index a83207c8..1fb81851 100644 --- a/lxc-php/tasks/php82.yml +++ b/lxc-php/tasks/php82.yml @@ -2,21 +2,56 @@ - name: set APT keyring ansible.builtin.set_fact: - lxc_apt_keyring_dir: /etc/apt/keyrings + lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d + +- name: "{{ lxc_php_version }} - Install dependency packages" + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg" + +- name: "{{ lxc_php_version }} - fix bullseye repository" + ansible.builtin.replace: + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" + regexp: 'bullseye/updates' + replace: 'bullseye-security' + +- name: "{{ lxc_php_version }} - Add sury repo" + ansible.builtin.lineinfile: + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" + line: "{{ item }}" + state: present + create: yes + mode: "0644" + loop: + - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php82 main" + +- name: copy pub.evolix.net GPG key + ansible.builtin.copy: + src: pub_evolix.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc + mode: "0644" + owner: root + group: root + +- name: copy packages.sury.org GPG Key + ansible.builtin.copy: + src: sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg + mode: "0644" + owner: root + group: root + +- name: "{{ lxc_php_version }} - Update APT cache" + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt update" - name: "{{ lxc_php_version }} - Install PHP packages" community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" -# TODO : adapt to Bookworm and deb822 format - -- name: "{{ lxc_php_version }} - fix bookworm repository" - ansible.builtin.replace: - dest: "{{ lxc_rootfs }}/etc/apt/sources.list" - regexp: 'bullseye/updates' - replace: 'bullseye-security' - - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" ansible.builtin.template: src: z-evolinux-defaults.ini.j2 From 42e98791d95409963d57a20f83ff459a170d4744 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 23 Apr 2023 10:29:50 +0200 Subject: [PATCH 44/45] Extract patroni role into its own branch for now --- CHANGELOG.md | 1 - patroni/README.md | 4 -- patroni/defaults/main.yml | 21 ------- patroni/files/pub_evolix.asc | 87 ---------------------------- patroni/meta/main.yml | 31 ---------- patroni/tasks/backports.yml | 27 --------- patroni/tasks/config.yml | 26 --------- patroni/tasks/main.yml | 7 --- patroni/tasks/packages.yml | 8 --- patroni/templates/patroni.conf.j2 | 73 ----------------------- patroni/templates/patroni.pref.j2 | 3 - patroni/templates/patroni.service.j2 | 17 ------ 12 files changed, 305 deletions(-) delete mode 100644 patroni/README.md delete mode 100644 patroni/defaults/main.yml delete mode 100644 patroni/files/pub_evolix.asc delete mode 100644 patroni/meta/main.yml delete mode 100644 patroni/tasks/backports.yml delete mode 100644 patroni/tasks/config.yml delete mode 100644 patroni/tasks/main.yml delete mode 100644 patroni/tasks/packages.yml delete mode 100644 patroni/templates/patroni.conf.j2 delete mode 100644 patroni/templates/patroni.pref.j2 delete mode 100644 patroni/templates/patroni.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 1528a40d..4cb6a43d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,6 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * graylog: new role -* Patroni: new role for install Patroni cluster * lxc-php: add support for PHP 8.2 container ### Changed diff --git a/patroni/README.md b/patroni/README.md deleted file mode 100644 index e3999617..00000000 --- a/patroni/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Patroni - -Installation and basic configuration of Patroni. - diff --git a/patroni/defaults/main.yml b/patroni/defaults/main.yml deleted file mode 100644 index 85ead1b1..00000000 --- a/patroni/defaults/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -# Install Patroni from backport Evolix -patroni_backport: false - -# Define variable for Patroni - -cluster_name: "mycluster" -patroni_restapi_listen: "127.0.0.1" -patroni_port: "8008" -postgresql_hosts_cluster: [] -postgresql_listen_ips: 127.0.0.1 -postgresql_connect_ip: 127.0.0.1 -postgresql_version: '' -postgresql_replication_user: 'repl' -postgresql_superuser: 'admin' - -# Define variable for etcd -etcd_hosts: [] -etcd_port: "2379" - diff --git a/patroni/files/pub_evolix.asc b/patroni/files/pub_evolix.asc deleted file mode 100644 index 4a21bdfe..00000000 --- a/patroni/files/pub_evolix.asc +++ /dev/null @@ -1,87 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N -YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN -OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV -Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw -ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7 -7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11 -mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma -dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3 -huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm -vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk -+XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB -tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy -PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A -BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy -x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq -yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7 -D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt -c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N -q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F -btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ -ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa -C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D -jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp -5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo -JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3 -Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F -5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o -aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba -mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp -g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs -h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M -Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb -sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A -5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A -etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8 -smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ -Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX -mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F -V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT -foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7 -b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5 -FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI -7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb -+dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc -fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF -bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR -Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+ -7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/ -RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc -8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX -fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd -gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/ -YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1 -4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL -1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK -3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj -9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB -jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC -LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG -j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H -BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M -jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q -BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym -Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6 -lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH -El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV -sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp -IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz -DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM -G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0 -IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs -UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac -lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm -AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r -adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf -SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v -2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz -kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg -2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad -OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf -nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk -jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH -oA9QflpnDubMnCve -=ZCml ------END PGP PUBLIC KEY BLOCK----- diff --git a/patroni/meta/main.yml b/patroni/meta/main.yml deleted file mode 100644 index dffff81a..00000000 --- a/patroni/meta/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -galaxy_info: - company: Evolix - description: Installation and basic configuration of Patroni - - issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: "2.7" - - platforms: - - name: Debian - versions: - - buster - - bullseye - - bookworm - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is - # a keyword that describes and categorizes the role. - # Users find roles by searching for tags. Be sure to - # remove the '[]' above if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of - # alphanumeric characters. Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. - diff --git a/patroni/tasks/backports.yml b/patroni/tasks/backports.yml deleted file mode 100644 index 43e76f22..00000000 --- a/patroni/tasks/backports.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Add Evolix GPG key - ansible.builtin.copy: - src: pub_evolix.asc - dest: "{{ apt_keyring_dir }}/pub_evolix.asc" - force: yes - mode: "0644" - owner: root - group: root - -- name: Add Evolix backports repository - ansible.builtin.apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-backports main" - filename: backports.list - state: present - -- name: Update APT cache - ansible.builtin.apt: - update_cache: yes - -- name: Add APT preference file - ansible.builtin.template: - src: patroni.pref.j2 - dest: /etc/apt/preferences.d/patroni.pref - mode: "0644" - diff --git a/patroni/tasks/config.yml b/patroni/tasks/config.yml deleted file mode 100644 index 4d44e285..00000000 --- a/patroni/tasks/config.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- name: Create a password for PostgreSQL repl user - command: "apg -M LCN -n1 -m 16" - register: postgresql_replication_password - -- name: Create a password for PostgreSQL superuser user - command: "apg -M LCN -n1 -m 16" - register: postgresql_superuser_password - -- name: Create Patroni config file - ansible.builtin.template: - src: patroni.conf.j2 - dest: /etc/patroni/config-{{ cluster_name }}.yml - owner: root - group: root - mode: "0644" - -- mane: Create Systemd Unit for Patroni - ansible.builtin.template: - src: patroni.service.j2 - dest: /etc/systemd/system/patroni.service - owner: root - group: root - mode: "0644" - diff --git a/patroni/tasks/main.yml b/patroni/tasks/main.yml deleted file mode 100644 index 36b4eb41..00000000 --- a/patroni/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: backports.yml - when: patroni_backport | bool - -- ansible.builtin.import_tasks: packages.yml -- ansible.builtin.import_tasks: config.yml diff --git a/patroni/tasks/packages.yml b/patroni/tasks/packages.yml deleted file mode 100644 index 198dcb7b..00000000 --- a/patroni/tasks/packages.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Install patroni package - ansible.builtin.apt: - name: - - patroni - update_cache: yes - diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 deleted file mode 100644 index 2dc23a28..00000000 --- a/patroni/templates/patroni.conf.j2 +++ /dev/null @@ -1,73 +0,0 @@ -scope: {{ cluster_name }} -name: {{ cluster_name_host }} - -restapi: - listen: {{ patroni_restapi_listen }}:{{ patroni_restapi_port }} - connect_address: {{ patroni_restapi_listen }}:{{ patroni_restapi_port }} - -etcd: - hosts: -{% for server in groups['etcd'] %} - - {{ hostvars[server]['etcd_host'] }}:{{ etcd_client_port }} -{% endfor %} - -bootstrap: - dcs: - ttl: 30 - loop_wait: 10 - retry_timeout: 10 - maximum_lag_on_failover: 1048576 - postgresql: - use_pg_rewind: true - use_slots: true - parameters: - wal_level: replica - hot_standby: "on" - wal_keep_segment: 8 - max_wal_senders: 5 - max_relication_slots: 5 - checkpoint_timeout: 30 - - initdb: - - encoding: UTF8 - - data-checksums - - pg_hba: - - host replication repl 127.0.0.1/32 md5 -{% for server in groups['patroni'] %} - - host replication repl {{ hostvars[server]['postgresql_hosts_cluster'] }}/0 md5 -{% endfor %} - - host all all 0.0.0.0/0 md5 - - users: - {{ postgresql_superuser }}: - password: {{ postgresql_superuser_password.stdout }} - options: - - createrole - - createdb - {{ postgresql_replication_user }}: - password: {{ postgresql_replication_password.stdout }} - options: - - replication - -postgresql: - listen: {{ postgresql_listen_ips }}:{{ postgresql_port }} - connect_address: {{ postgresql_connect_ip }}:{{ postgresql_port }} - bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ - data_dir: /home/{{ cluster_name_host }} - pgpass: /tmp/{{ cluster_name_host }}-pgpass - authentication: - replication: - username: {{ postgresql_replication_user }} - password: {{ postgresql_replication_password.stdout }} - superuser: - username: {{ postgresql_superuser }} - password: {{ postgresql_superuser_password.stdout }} - parameters: - unix_socket_directories: '/tmp' - -tags: - nofailover: false - noloadbalance: false - clonefrom: false - nosync: false diff --git a/patroni/templates/patroni.pref.j2 b/patroni/templates/patroni.pref.j2 deleted file mode 100644 index 6e6dd081..00000000 --- a/patroni/templates/patroni.pref.j2 +++ /dev/null @@ -1,3 +0,0 @@ -Package: patroni -Pin: release a={{ ansible_distribution_release }}-backports -Pin-Priority: 999 diff --git a/patroni/templates/patroni.service.j2 b/patroni/templates/patroni.service.j2 deleted file mode 100644 index 6f9e1521..00000000 --- a/patroni/templates/patroni.service.j2 +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=Runners to orchestrate a high-availability PostgreSQL -After=syslog.target network.target - -[Service] -Type=simple - -User=postgres -Group=postgres - -ExecStart=/usr/bin/patroni /etc/patroni/config-{{ cluster_name }}.yml -KillMode=process -TimeoutSec=30 -Restart=no - -[Install] -WantedBy=multi-user.targ From 6cd72cf9f44f3051435d6e0355afac27f6363674 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 23 Apr 2023 10:48:39 +0200 Subject: [PATCH 45/45] Release 23.04 --- CHANGELOG.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4cb6a43d..0db8d343 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,11 +13,24 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [23.04] 2023-04-23 + +### Added + * graylog: new role * lxc-php: add support for PHP 8.2 container ### Changed +* Use FQCN (Fully Qualified Collection Name) * apt: with Debian 12, backports are installed but disabled by default * openvpn: updated the README file * pgbouncer: add handler to restart the service @@ -26,10 +39,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * generate-ldif: Support for Debian 12 -### Removed - -### Security - ## [23.03.1] 2023-03-16 ### Added