Merge branch 'unstable' into stable
All checks were successful
gitea/ansible-roles/pipeline/tag This commit looks good
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2779|4|2775|5|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/stable/8//ansiblelint">Evolix » ansible-roles » stable #8</a>
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
gitea/ansible-roles/pipeline/tag This commit looks good
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2779|4|2775|5|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/stable/8//ansiblelint">Evolix » ansible-roles » stable #8</a>
gitea/ansible-roles/pipeline/head This commit looks good
This commit is contained in:
commit
a10cff94d0
18
CHANGELOG.md
18
CHANGELOG.md
|
@ -21,6 +21,24 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [23.04] 2023-04-23
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* graylog: new role
|
||||||
|
* lxc-php: add support for PHP 8.2 container
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* Use FQCN (Fully Qualified Collection Name)
|
||||||
|
* apt: with Debian 12, backports are installed but disabled by default
|
||||||
|
* openvpn: updated the README file
|
||||||
|
* pgbouncer: add handler to restart the service
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* generate-ldif: Support for Debian 12
|
||||||
|
|
||||||
## [23.03.1] 2023-03-16
|
## [23.03.1] 2023-03-16
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: restart amavis
|
- name: restart amavis
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: amavis
|
name: amavis
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: install Amavis
|
- name: install Amavis
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- postgrey
|
- postgrey
|
||||||
- amavisd-new
|
- amavisd-new
|
||||||
|
@ -9,7 +9,7 @@
|
||||||
- amavis
|
- amavis
|
||||||
|
|
||||||
- name: configure Amavis
|
- name: configure Amavis
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: amavis.conf.j2
|
src: amavis.conf.j2
|
||||||
dest: /etc/amavis/conf.d/49-evolinux-defaults
|
dest: /etc/amavis/conf.d/49-evolinux-defaults
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
|
@ -9,10 +9,10 @@
|
||||||
aws_region: ca-central-1
|
aws_region: ca-central-1
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/amazon-ec2
|
name: evolix/amazon-ec2
|
||||||
tasks_from: setup.yml
|
tasks_from: setup.yml
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/amazon-ec2
|
name: evolix/amazon-ec2
|
||||||
tasks_from: create-instance.yml
|
tasks_from: create-instance.yml
|
||||||
|
|
||||||
|
@ -51,7 +51,7 @@
|
||||||
- mysql
|
- mysql
|
||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/etc-git
|
name: evolix/etc-git
|
||||||
tasks_from: commit.yml
|
tasks_from: commit.yml
|
||||||
vars:
|
vars:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Launch new instance(s)
|
- name: Launch new instance(s)
|
||||||
ec2:
|
amazon.aws.ec2:
|
||||||
state: present
|
state: present
|
||||||
aws_access_key: "{{ aws_access_key }}"
|
aws_access_key: "{{ aws_access_key }}"
|
||||||
aws_secret_key: "{{ aws_secret_key }}"
|
aws_secret_key: "{{ aws_secret_key }}"
|
||||||
|
@ -16,19 +16,19 @@
|
||||||
register: ec2
|
register: ec2
|
||||||
|
|
||||||
- name: Add newly created instance(s) to inventory
|
- name: Add newly created instance(s) to inventory
|
||||||
add_host:
|
ansible.builtin.add_host:
|
||||||
hostname: "{{ item.public_dns_name }}"
|
hostname: "{{ item.public_dns_name }}"
|
||||||
groupname: launched-instances
|
groupname: launched-instances
|
||||||
ansible_user: admin
|
ansible_user: admin
|
||||||
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
|
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
|
||||||
loop: "{{ ec2.instances }}"
|
loop: "{{ ec2.instances }}"
|
||||||
|
|
||||||
- debug:
|
- ansible.builtin.debug:
|
||||||
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
|
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
|
||||||
loop: "{{ ec2.instances }}"
|
loop: "{{ ec2.instances }}"
|
||||||
|
|
||||||
- name: Wait for SSH to come up on all instances (give up after 2m)
|
- name: Wait for SSH to come up on all instances (give up after 2m)
|
||||||
wait_for:
|
ansible.builtin.wait_for:
|
||||||
state: started
|
state: started
|
||||||
host: "{{ item.public_dns_name }}"
|
host: "{{ item.public_dns_name }}"
|
||||||
port: 22
|
port: 22
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: Remove admin user
|
- name: Remove admin user
|
||||||
user:
|
ansible.builtin.user:
|
||||||
name: admin
|
name: admin
|
||||||
state: absent
|
state: absent
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Create default security group
|
- name: Create default security group
|
||||||
ec2_group:
|
amazon.aws.ec2_group:
|
||||||
name: "{{ ec2_security_group.name }}"
|
name: "{{ ec2_security_group.name }}"
|
||||||
state: present
|
state: present
|
||||||
aws_access_key: "{{ aws_access_key }}"
|
aws_access_key: "{{ aws_access_key }}"
|
||||||
|
@ -12,7 +12,7 @@
|
||||||
rules_egress: "{{ ec2_security_group.rules_egress }}"
|
rules_egress: "{{ ec2_security_group.rules_egress }}"
|
||||||
|
|
||||||
- name: Create key pair
|
- name: Create key pair
|
||||||
ec2_key:
|
amazon.aws.ec2_key:
|
||||||
name: "{{ ec2_keyname }}"
|
name: "{{ ec2_keyname }}"
|
||||||
state: present
|
state: present
|
||||||
aws_access_key: "{{ aws_access_key }}"
|
aws_access_key: "{{ aws_access_key }}"
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
- name: restart apache
|
- name: restart apache
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: apache2
|
name: apache2
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: reload apache
|
- name: reload apache
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: apache2
|
name: apache2
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: restart munin-node
|
- name: restart munin-node
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: munin-node
|
name: munin-node
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Init ipaddr_whitelist.conf file
|
- name: Init ipaddr_whitelist.conf file
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: ipaddr_whitelist.conf
|
src: ipaddr_whitelist.conf
|
||||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -12,10 +12,10 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: Load IP whitelist task
|
- name: Load IP whitelist task
|
||||||
include: ip_whitelist.yml
|
ansible.builtin.import_tasks: ip_whitelist.yml
|
||||||
|
|
||||||
- name: include private IP whitelist for server-status
|
- name: include private IP whitelist for server-status
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/apache2/mods-available/status.conf
|
dest: /etc/apache2/mods-available/status.conf
|
||||||
line: " include /etc/apache2/ipaddr_whitelist.conf"
|
line: " include /etc/apache2/ipaddr_whitelist.conf"
|
||||||
insertafter: 'SetHandler server-status'
|
insertafter: 'SetHandler server-status'
|
||||||
|
@ -24,7 +24,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: Copy private_htpasswd
|
- name: Copy private_htpasswd
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: private_htpasswd
|
src: private_htpasswd
|
||||||
dest: /etc/apache2/private_htpasswd
|
dest: /etc/apache2/private_htpasswd
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -36,7 +36,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: add user:pwd to private htpasswd
|
- name: add user:pwd to private htpasswd
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/apache2/private_htpasswd
|
dest: /etc/apache2/private_htpasswd
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
|
@ -46,7 +46,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: remove user:pwd from private htpasswd
|
- name: remove user:pwd from private htpasswd
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/apache2/private_htpasswd
|
dest: /etc/apache2/private_htpasswd
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
state: absent
|
state: absent
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: add IP addresses to private IP whitelist
|
- name: add IP addresses to private IP whitelist
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||||
line: "Require ip {{ item }}"
|
line: "Require ip {{ item }}"
|
||||||
state: present
|
state: present
|
||||||
|
@ -12,7 +12,7 @@
|
||||||
- ips
|
- ips
|
||||||
|
|
||||||
- name: remove IP addresses from private IP whitelist
|
- name: remove IP addresses from private IP whitelist
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||||
line: "Require ip {{ item }}"
|
line: "Require ip {{ item }}"
|
||||||
state: absent
|
state: absent
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: log2mail is installed
|
- name: log2mail is installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: log2mail
|
name: log2mail
|
||||||
state: present
|
state: present
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: Add log2mail config for Apache segfaults
|
- name: Add log2mail config for Apache segfaults
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: log2mail-apache.j2
|
src: log2mail-apache.j2
|
||||||
dest: "/etc/log2mail/config/apache"
|
dest: "/etc/log2mail/config/apache"
|
||||||
owner: log2mail
|
owner: log2mail
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: packages are installed (Debian 9 or later)
|
- name: packages are installed (Debian 9 or later)
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- apache2
|
- apache2
|
||||||
- libapache2-mod-evasive
|
- libapache2-mod-evasive
|
||||||
|
@ -14,7 +14,7 @@
|
||||||
when: ansible_distribution_major_version is version('9', '>=')
|
when: ansible_distribution_major_version is version('9', '>=')
|
||||||
|
|
||||||
- name: itk package is installed if required (Debian 9 or later)
|
- name: itk package is installed if required (Debian 9 or later)
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- libapache2-mpm-itk
|
- libapache2-mpm-itk
|
||||||
state: present
|
state: present
|
||||||
|
@ -26,7 +26,7 @@
|
||||||
- apache_mpm == "itk"
|
- apache_mpm == "itk"
|
||||||
|
|
||||||
- name: packages are installed (jessie)
|
- name: packages are installed (jessie)
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- apache2-mpm-itk
|
- apache2-mpm-itk
|
||||||
- libapache2-mod-evasive
|
- libapache2-mod-evasive
|
||||||
|
@ -39,7 +39,7 @@
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: basic modules are enabled
|
- name: basic modules are enabled
|
||||||
apache2_module:
|
community.general.apache2_module:
|
||||||
name: '{{ item }}'
|
name: '{{ item }}'
|
||||||
state: present
|
state: present
|
||||||
loop:
|
loop:
|
||||||
|
@ -55,7 +55,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: basic modules are enabled
|
- name: basic modules are enabled
|
||||||
apache2_module:
|
community.general.apache2_module:
|
||||||
name: '{{ item }}'
|
name: '{{ item }}'
|
||||||
state: present
|
state: present
|
||||||
loop:
|
loop:
|
||||||
|
@ -67,7 +67,7 @@
|
||||||
|
|
||||||
|
|
||||||
- name: Copy Apache defaults config file
|
- name: Copy Apache defaults config file
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: evolinux-defaults.conf
|
src: evolinux-defaults.conf
|
||||||
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
|
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -79,7 +79,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: Copy Apache custom config file
|
- name: Copy Apache custom config file
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: evolinux-custom.conf
|
src: evolinux-custom.conf
|
||||||
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
|
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -91,7 +91,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: disable status.conf
|
- name: disable status.conf
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: /etc/apache2/mods-enabled/status.conf
|
dest: /etc/apache2/mods-enabled/status.conf
|
||||||
state: absent
|
state: absent
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
|
@ -99,7 +99,8 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: Ensure Apache config files are enabled
|
- name: Ensure Apache config files are enabled
|
||||||
command: "a2enconf {{ item }}"
|
ansible.builtin.command:
|
||||||
|
cmd: "a2enconf {{ item }}"
|
||||||
register: command_result
|
register: command_result
|
||||||
changed_when: "'Enabling' in command_result.stderr"
|
changed_when: "'Enabling' in command_result.stderr"
|
||||||
loop:
|
loop:
|
||||||
|
@ -109,12 +110,12 @@
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- include: auth.yml
|
- ansible.builtin.include: auth.yml
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: default vhost is installed
|
- name: default vhost is installed
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: evolinux-default.conf.j2
|
src: evolinux-default.conf.j2
|
||||||
dest: /etc/apache2/sites-available/000-evolinux-default.conf
|
dest: /etc/apache2/sites-available/000-evolinux-default.conf
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
|
@ -124,7 +125,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: default vhost is enabled
|
- name: default vhost is enabled
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: /etc/apache2/sites-available/000-evolinux-default.conf
|
src: /etc/apache2/sites-available/000-evolinux-default.conf
|
||||||
dest: /etc/apache2/sites-enabled/000-default.conf
|
dest: /etc/apache2/sites-enabled/000-default.conf
|
||||||
state: link
|
state: link
|
||||||
|
@ -134,12 +135,13 @@
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- include: server_status.yml
|
- ansible.builtin.include: server_status.yml
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: is umask already present?
|
- name: is umask already present?
|
||||||
command: "grep -E '^umask ' /etc/apache2/envvars"
|
ansible.builtin.command:
|
||||||
|
cmd: "grep -E '^umask ' /etc/apache2/envvars"
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
register: envvar_grep_umask
|
register: envvar_grep_umask
|
||||||
|
@ -148,7 +150,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: Add a mark in envvars for umask
|
- name: Add a mark in envvars for umask
|
||||||
blockinfile:
|
ansible.builtin.blockinfile:
|
||||||
dest: /etc/apache2/envvars
|
dest: /etc/apache2/envvars
|
||||||
marker: "## {mark} ANSIBLE MANAGED BLOCK"
|
marker: "## {mark} ANSIBLE MANAGED BLOCK"
|
||||||
block: |
|
block: |
|
||||||
|
@ -159,13 +161,13 @@
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: /usr/share/scripts exists
|
- name: /usr/share/scripts exists
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: /usr/share/scripts
|
dest: /usr/share/scripts
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -175,7 +177,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: "Install save_apache_status.sh"
|
- name: "Install save_apache_status.sh"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: save_apache_status.sh
|
src: save_apache_status.sh
|
||||||
dest: /usr/share/scripts/save_apache_status.sh
|
dest: /usr/share/scripts/save_apache_status.sh
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
@ -184,7 +186,7 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: "logrotate: {{ apache_logrotate_frequency }}"
|
- name: "logrotate: {{ apache_logrotate_frequency }}"
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/logrotate.d/apache2
|
dest: /etc/logrotate.d/apache2
|
||||||
regexp: "(daily|weekly|monthly)"
|
regexp: "(daily|weekly|monthly)"
|
||||||
replace: "{{ apache_logrotate_frequency }}"
|
replace: "{{ apache_logrotate_frequency }}"
|
||||||
|
@ -192,19 +194,19 @@
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
|
- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/logrotate.d/apache2
|
dest: /etc/logrotate.d/apache2
|
||||||
regexp: '^(\s+rotate) \d+$'
|
regexp: '^(\s+rotate) \d+$'
|
||||||
replace: '\1 {{ apache_logrotate_rotate }}'
|
replace: '\1 {{ apache_logrotate_rotate }}'
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- include: log2mail.yml
|
- ansible.builtin.include: log2mail.yml
|
||||||
when: apache_log2mail_include
|
when: apache_log2mail_include
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- include: munin.yml
|
- ansible.builtin.include: munin.yml
|
||||||
when: apache_munin_include | bool
|
when: apache_munin_include | bool
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "Install munin-node and core plugins packages"
|
- name: "Install munin-node and core plugins packages"
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- munin-node
|
- munin-node
|
||||||
- munin-plugins-core
|
- munin-plugins-core
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
- munin
|
- munin
|
||||||
|
|
||||||
- name: "Enable Munin plugins"
|
- name: "Enable Munin plugins"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: "/usr/share/munin/plugins/{{ item }}"
|
src: "/usr/share/munin/plugins/{{ item }}"
|
||||||
dest: "/etc/munin/plugins/{{ item }}"
|
dest: "/etc/munin/plugins/{{ item }}"
|
||||||
state: link
|
state: link
|
||||||
|
@ -25,7 +25,7 @@
|
||||||
- munin
|
- munin
|
||||||
|
|
||||||
- name: "Install fcgi packages for Munin graphs"
|
- name: "Install fcgi packages for Munin graphs"
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- libapache2-mod-fcgid
|
- libapache2-mod-fcgid
|
||||||
- libcgi-fast-perl
|
- libcgi-fast-perl
|
||||||
|
@ -36,7 +36,8 @@
|
||||||
- munin
|
- munin
|
||||||
|
|
||||||
- name: "Enable libapache2-mod-fcgid"
|
- name: "Enable libapache2-mod-fcgid"
|
||||||
command: a2enmod fcgid
|
ansible.builtin.command:
|
||||||
|
cmd: a2enmod fcgid
|
||||||
register: cmd_enable_fcgid
|
register: cmd_enable_fcgid
|
||||||
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
|
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
|
||||||
notify: restart apache
|
notify: restart apache
|
||||||
|
@ -45,7 +46,7 @@
|
||||||
- munin
|
- munin
|
||||||
|
|
||||||
- name: "Apache has access to /var/log/munin/"
|
- name: "Apache has access to /var/log/munin/"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /var/log/munin/
|
path: /var/log/munin/
|
||||||
group: www-data
|
group: www-data
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: server status dirname exists
|
- name: server status dirname exists
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: "{{ apache_serverstatus_suffix_file | dirname }}"
|
dest: "{{ apache_serverstatus_suffix_file | dirname }}"
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -9,7 +9,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: set apache serverstatus suffix if provided
|
- name: set apache serverstatus suffix if provided
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
dest: "{{ apache_serverstatus_suffix_file }}"
|
dest: "{{ apache_serverstatus_suffix_file }}"
|
||||||
# The last character "\u000A" is a line feed (LF), it's better to keep it
|
# The last character "\u000A" is a line feed (LF), it's better to keep it
|
||||||
content: "{{ apache_serverstatus_suffix }}\u000A"
|
content: "{{ apache_serverstatus_suffix }}\u000A"
|
||||||
|
@ -17,51 +17,53 @@
|
||||||
when: apache_serverstatus_suffix | length > 0
|
when: apache_serverstatus_suffix | length > 0
|
||||||
|
|
||||||
- name: generate random string for server-status suffix
|
- name: generate random string for server-status suffix
|
||||||
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
|
ansible.builtin.shell:
|
||||||
|
cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
|
||||||
args:
|
args:
|
||||||
creates: "{{ apache_serverstatus_suffix_file }}"
|
creates: "{{ apache_serverstatus_suffix_file }}"
|
||||||
|
|
||||||
- name: read apache server status suffix
|
- name: read apache server status suffix
|
||||||
command: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
|
ansible.builtin.command:
|
||||||
|
cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: new_apache_serverstatus_suffix
|
register: new_apache_serverstatus_suffix
|
||||||
|
|
||||||
- name: overwrite apache_serverstatus_suffix
|
- name: overwrite apache_serverstatus_suffix
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
|
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
|
||||||
|
|
||||||
- debug:
|
- ansible.builtin.debug:
|
||||||
var: apache_serverstatus_suffix
|
var: apache_serverstatus_suffix
|
||||||
verbosity: 1
|
verbosity: 1
|
||||||
|
|
||||||
- name: replace server-status suffix in default site index
|
- name: replace server-status suffix in default site index
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /var/www/index.html
|
dest: /var/www/index.html
|
||||||
regexp: '__SERVERSTATUS_SUFFIX__'
|
regexp: '__SERVERSTATUS_SUFFIX__'
|
||||||
replace: "{{ apache_serverstatus_suffix }}"
|
replace: "{{ apache_serverstatus_suffix }}"
|
||||||
|
|
||||||
- name: add server-status suffix in default site index if missing
|
- name: add server-status suffix in default site index if missing
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /var/www/index.html
|
dest: /var/www/index.html
|
||||||
regexp: '"/server-status-?"'
|
regexp: '"/server-status-?"'
|
||||||
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
|
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
|
||||||
|
|
||||||
- name: add server-status suffix in default VHost
|
- name: add server-status suffix in default VHost
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/apache2/sites-available/000-evolinux-default.conf
|
dest: /etc/apache2/sites-available/000-evolinux-default.conf
|
||||||
regexp: '<Location /server-status-?>'
|
regexp: '<Location /server-status-?>'
|
||||||
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
|
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
|
|
||||||
- name: Munin configuration has a section for apache
|
- name: Munin configuration has a section for apache
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/munin/plugin-conf.d/munin-node
|
dest: /etc/munin/plugin-conf.d/munin-node
|
||||||
line: "[apache_*]"
|
line: "[apache_*]"
|
||||||
create: no
|
create: no
|
||||||
|
|
||||||
- name: apache-status URL is configured for Munin
|
- name: apache-status URL is configured for Munin
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/munin/plugin-conf.d/munin-node
|
dest: /etc/munin/plugin-conf.d/munin-node
|
||||||
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
|
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
|
||||||
regexp: 'env.url http://[^\\/]+/server-status'
|
regexp: 'env.url http://[^\\/]+/server-status'
|
||||||
|
@ -70,7 +72,7 @@
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
|
|
||||||
- name: add mailgraph URL in index.html
|
- name: add mailgraph URL in index.html
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /var/www/index.html
|
dest: /var/www/index.html
|
||||||
state: present
|
state: present
|
||||||
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'
|
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'
|
||||||
|
|
|
@ -8,6 +8,8 @@ apt_upgrade: False
|
||||||
apt_install_basics: True
|
apt_install_basics: True
|
||||||
apt_basics_components: "main"
|
apt_basics_components: "main"
|
||||||
|
|
||||||
|
# With Debian 12+ and the deb822 format of source files
|
||||||
|
# backports are always installed but enabled according to `apt_install_backports`
|
||||||
apt_install_backports: False
|
apt_install_backports: False
|
||||||
apt_backports_components: "main"
|
apt_backports_components: "main"
|
||||||
|
|
||||||
|
|
3
apt/files/bookworm_backports_preferences
Normal file
3
apt/files/bookworm_backports_preferences
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Package: *
|
||||||
|
Pin: release a=bookworm-backports
|
||||||
|
Pin-Priority: 50
|
116
apt/files/deb822-migration.py
Normal file → Executable file
116
apt/files/deb822-migration.py
Normal file → Executable file
|
@ -3,20 +3,36 @@
|
||||||
import re
|
import re
|
||||||
import sys
|
import sys
|
||||||
import os
|
import os
|
||||||
|
import select
|
||||||
|
import apt
|
||||||
|
import apt_pkg
|
||||||
|
|
||||||
if len(sys.argv) > 1:
|
# Order matters !
|
||||||
src_file = sys.argv[1]
|
destinations = {
|
||||||
else:
|
"debian-security": "security.sources",
|
||||||
print("You must provide a source file as first argument", file=sys.stderr)
|
".*-backports": "backports.sources",
|
||||||
sys.exit(1)
|
".debian.org": "system.sources",
|
||||||
|
"mirror.evolix.org": "system.sources",
|
||||||
|
"pub.evolix.net": "evolix_public_old.sources",
|
||||||
|
"pub.evolix.org": "evolix_public.sources",
|
||||||
|
"artifacts.elastic.co": "elastic.sources",
|
||||||
|
"download.docker.com": "docker.sources",
|
||||||
|
"downloads.linux.hpe.com": "hp.sources",
|
||||||
|
"pkg.jenkins-ci.org": "jenkins.sources",
|
||||||
|
"packages.sury.org": "sury.sources",
|
||||||
|
"repo.mongodb.org": "mongodb.sources",
|
||||||
|
"apt.newrelic.com": "newrelic.sources",
|
||||||
|
"deb.nodesource.com": "nodesource.sources",
|
||||||
|
"dl.yarnpkg.com": "yarn.sources",
|
||||||
|
"apt.postgresql.org": "postgresql.sources",
|
||||||
|
"packages.microsoft.com/repos/vscode": "microsoft-vscode.sources",
|
||||||
|
"packages.microsoft.com/repos/ms-teams": "microsoft-teams.sources",
|
||||||
|
"updates.signal.org": "signal.sources",
|
||||||
|
"downloads.1password.com/linux/debian": "1password.sources",
|
||||||
|
"download.virtualbox.org": "virtualbox.sources"
|
||||||
|
}
|
||||||
|
|
||||||
if not os.access(src_file, os.R_OK):
|
sources_parts = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
|
||||||
print(src_file, "is not readable", file=sys.stderr)
|
|
||||||
sys.exit(2)
|
|
||||||
|
|
||||||
pattern = re.compile('^(?P<type>deb|deb-src) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
|
|
||||||
|
|
||||||
sources = {}
|
|
||||||
|
|
||||||
def split_options(raw):
|
def split_options(raw):
|
||||||
table = str.maketrans({
|
table = str.maketrans({
|
||||||
|
@ -27,25 +43,44 @@ def split_options(raw):
|
||||||
|
|
||||||
return options
|
return options
|
||||||
|
|
||||||
with open(src_file,'r') as file:
|
def auto_destination(uri):
|
||||||
for line in file:
|
basename = uri
|
||||||
matches = re.match(pattern, line)
|
basename = re.sub('\[[^\]]+\]', '', basename)
|
||||||
if matches is not None:
|
basename = re.sub('\w+://', '', basename)
|
||||||
# print(matches.groupdict())
|
basename = '_'.join(re.sub('[^a-zA-Z0-9]', ' ', basename).split())
|
||||||
uri = matches['uri']
|
return '%s.sources' % basename
|
||||||
|
|
||||||
|
|
||||||
|
def destination(matches):
|
||||||
|
for search_str in destinations.keys():
|
||||||
|
search_pattern = re.compile(f'{search_str}(/|\s|$)')
|
||||||
|
if re.search(search_pattern, matches['uri']) or re.search(search_pattern, matches["suite"]):
|
||||||
|
return destinations[search_str]
|
||||||
|
# fallback if nothing matches
|
||||||
|
return auto_destination(matches['uri'])
|
||||||
|
|
||||||
|
def prepare_sources(lines):
|
||||||
|
sources = {}
|
||||||
|
pattern = re.compile('^(?: *(?P<type>deb|deb-src)) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
|
||||||
|
|
||||||
|
for line in lines:
|
||||||
|
matches = re.match(pattern, line)
|
||||||
|
|
||||||
|
if matches is not None:
|
||||||
|
dest = destination(matches)
|
||||||
options = {}
|
options = {}
|
||||||
|
|
||||||
if matches.group('options'):
|
if matches.group('options'):
|
||||||
for option in split_options(matches['options']):
|
for option in split_options(matches['options']):
|
||||||
if "=" in option:
|
if "=" in option:
|
||||||
key, value = option.split("=")
|
key, value = option.split("=")
|
||||||
options[key] = value
|
options[key] = value
|
||||||
|
|
||||||
if uri in sources:
|
if dest in sources:
|
||||||
sources[uri]["Types"].add(matches["type"])
|
sources[dest]["Types"].add(matches["type"])
|
||||||
sources[uri]["URIs"] = matches["uri"]
|
sources[dest]["URIs"] = matches["uri"]
|
||||||
sources[uri]["Suites"].add(matches["suite"])
|
sources[dest]["Suites"].add(matches["suite"])
|
||||||
sources[uri]["Components"].update(matches["components"].split(' '))
|
sources[dest]["Components"].update(matches["components"].split(' '))
|
||||||
else:
|
else:
|
||||||
source = {
|
source = {
|
||||||
"Types": {matches['type']},
|
"Types": {matches['type']},
|
||||||
|
@ -83,14 +118,35 @@ with open(src_file,'r') as file:
|
||||||
else:
|
else:
|
||||||
source["Targets"] = {options["target"]}
|
source["Targets"] = {options["target"]}
|
||||||
|
|
||||||
sources[uri] = source
|
sources[dest] = source
|
||||||
|
return sources
|
||||||
|
|
||||||
for i, (uri, source) in enumerate(sources.items()):
|
def save_sources(sources, output_dir):
|
||||||
if i > 0:
|
# print(output_dir)
|
||||||
print("")
|
# print(sources)
|
||||||
|
for dest, source in sources.items():
|
||||||
|
source_path = output_dir + dest
|
||||||
|
|
||||||
|
with open(source_path, 'w') as file:
|
||||||
for key, value in source.items():
|
for key, value in source.items():
|
||||||
if isinstance(value, str):
|
if isinstance(value, str):
|
||||||
print("{}: {}".format(key, value) )
|
file.write("{}: {}\n".format(key, value))
|
||||||
else:
|
else:
|
||||||
print("{}: {}".format(key, ' '.join(value)) )
|
file.write("{}: {}\n".format(key, ' '.join(value)))
|
||||||
i += 1
|
|
||||||
|
def main():
|
||||||
|
if select.select([sys.stdin, ], [], [], 0.0)[0]:
|
||||||
|
sources = prepare_sources(sys.stdin)
|
||||||
|
# elif len(sys.argv) > 1:
|
||||||
|
# sources = prepare_sources([sys.argv[1]])
|
||||||
|
else:
|
||||||
|
print("You must provide source lines to stdin", file=sys.stderr)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
output_dir = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
|
||||||
|
save_sources(sources, output_dir)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
|
|
||||||
|
sys.exit(0)
|
61
apt/files/deb822-migration.sh
Normal file → Executable file
61
apt/files/deb822-migration.sh
Normal file → Executable file
|
@ -10,39 +10,40 @@ if [ ! -x "${deb822_migrate_script}" ]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
dest_dir="/etc/apt/sources.list.d"
|
sources_from_file() {
|
||||||
rc=0
|
grep --extended-regexp "^\s*(deb|deb-src) " $1
|
||||||
|
|
||||||
migrate_file() {
|
|
||||||
legacy_file=$1
|
|
||||||
deb822_file=$2
|
|
||||||
|
|
||||||
if [ -f "${legacy_file}" ]; then
|
|
||||||
if [ -f "${deb822_file}" ]; then
|
|
||||||
>&2 echo "ERROR: '${deb822_file}' already exists"
|
|
||||||
rc=2
|
|
||||||
else
|
|
||||||
${deb822_migrate_script} "${legacy_file}" > "${deb822_file}"
|
|
||||||
if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then
|
|
||||||
mv "${legacy_file}" "${legacy_file}.bak"
|
|
||||||
echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak"
|
|
||||||
else
|
|
||||||
>&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'"
|
|
||||||
rc=2
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
>&2 echo "ERROR: '${legacy_file}' not found"
|
|
||||||
rc=2
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources"
|
rc=0
|
||||||
|
count=0
|
||||||
|
|
||||||
# shellcheck disable=SC2044
|
if [ -f /etc/apt/sources.list ]; then
|
||||||
for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
|
sources_from_file /etc/apt/sources.list | ${deb822_migrate_script}
|
||||||
deb822_file=$(basename "${legacy_file}" .list)
|
python_rc=$?
|
||||||
migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources"
|
|
||||||
|
if [ ${python_rc} -eq 0 ]; then
|
||||||
|
mv /etc/apt/sources.list /etc/apt/sources.list.bak
|
||||||
|
echo "OK: /etc/apt/sources.list"
|
||||||
|
count=$(( count + 1 ))
|
||||||
|
else
|
||||||
|
>&2 echo "ERROR: failed migration for /etc/apt/sources.list"
|
||||||
|
rc=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
for file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
|
||||||
|
sources_from_file "${file}" | ${deb822_migrate_script}
|
||||||
|
python_rc=$?
|
||||||
|
|
||||||
|
if [ ${python_rc} -eq 0 ]; then
|
||||||
|
mv "${file}" "${file}.bak"
|
||||||
|
echo "OK: ${file}"
|
||||||
|
count=$(( count + 1 ))
|
||||||
|
else
|
||||||
|
>&2 echo "ERROR: failed migration for ${file}"
|
||||||
|
rc=1
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
echo "${count} file(s) migrated"
|
||||||
exit ${rc}
|
exit ${rc}
|
BIN
apt/files/pub_evolix.gpg
Normal file
BIN
apt/files/pub_evolix.gpg
Normal file
Binary file not shown.
28
apt/tasks/backports.deb822.yml
Normal file
28
apt/tasks/backports.deb822.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Backports deb822 sources list is installed
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: '{{ ansible_distribution_release }}_backports.sources.j2'
|
||||||
|
dest: /etc/apt/sources.list.d/backports.sources
|
||||||
|
force: yes
|
||||||
|
mode: "0640"
|
||||||
|
register: apt_backports_sources
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Backports configuration
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: '{{ ansible_distribution_release }}_backports_preferences'
|
||||||
|
dest: /etc/apt/preferences.d/0-backports-defaults
|
||||||
|
force: yes
|
||||||
|
mode: "0640"
|
||||||
|
register: apt_backports_config
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Apt update
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
when: apt_backports_sources is changed or apt_backports_config is changed
|
||||||
|
tags:
|
||||||
|
- apt
|
45
apt/tasks/backports.oneline.yml
Normal file
45
apt/tasks/backports.oneline.yml
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
---
|
||||||
|
- name: No backports config in default sources.list
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
dest: /etc/apt/sources.list
|
||||||
|
regexp: "backports"
|
||||||
|
state: absent
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Backports sources list is installed
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: '{{ ansible_distribution_release }}_backports.list.j2'
|
||||||
|
dest: /etc/apt/sources.list.d/backports.list
|
||||||
|
force: yes
|
||||||
|
mode: "0640"
|
||||||
|
register: apt_backports_list
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Backports configuration
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: '{{ ansible_distribution_release }}_backports_preferences'
|
||||||
|
dest: /etc/apt/preferences.d/0-backports-defaults
|
||||||
|
force: yes
|
||||||
|
mode: "0640"
|
||||||
|
register: apt_backports_config
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Archived backport are accepted (jessie)
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
|
||||||
|
line: 'Acquire::Check-Valid-Until no;'
|
||||||
|
create: yes
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
|
- name: Apt update
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: apt_backports_list is changed or apt_backports_config is changed
|
|
@ -1,45 +1,13 @@
|
||||||
---
|
---
|
||||||
- name: No backports config in default sources.list
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/apt/sources.list
|
|
||||||
regexp: "backports"
|
|
||||||
state: absent
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Backports sources list is installed
|
# Backward compatibility task file
|
||||||
template:
|
|
||||||
src: '{{ ansible_distribution_release }}_backports.list.j2'
|
|
||||||
dest: /etc/apt/sources.list.d/backports.list
|
|
||||||
force: yes
|
|
||||||
mode: "0640"
|
|
||||||
register: apt_backports_list
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Backports configuration
|
- name: Install backports repositories (Debian <12)
|
||||||
copy:
|
ansible.builtin.import_tasks: backports.oneline.yml
|
||||||
src: '{{ ansible_distribution_release }}_backports_preferences'
|
when:
|
||||||
dest: /etc/apt/preferences.d/0-backports-defaults
|
- ansible_distribution_major_version is version('12', '<')
|
||||||
force: yes
|
|
||||||
mode: "0640"
|
|
||||||
register: apt_backports_config
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Archived backport are accepted (jessie)
|
- name: Install backports repositories (Debian >=12)
|
||||||
lineinfile:
|
ansible.builtin.import_tasks: backports.deb822.yml
|
||||||
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
|
when:
|
||||||
line: 'Acquire::Check-Valid-Until no;'
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
create: yes
|
|
||||||
state: present
|
|
||||||
when: ansible_distribution_release == "jessie"
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Apt update
|
|
||||||
apt:
|
|
||||||
update_cache: yes
|
|
||||||
when: apt_backports_list is changed or apt_backports_config is changed
|
|
||||||
tags:
|
|
||||||
- apt
|
|
45
apt/tasks/basics.deb822.yml
Normal file
45
apt/tasks/basics.deb822.yml
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Change basics repositories
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ ansible_distribution_release }}_basics.sources.j2"
|
||||||
|
dest: /etc/apt/sources.list.d/system.sources
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
register: apt_basic_sources
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Change security repositories
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ ansible_distribution_release }}_security.sources.j2"
|
||||||
|
dest: /etc/apt/sources.list.d/security.sources
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
register: apt_security_sources
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Find one-line APT sources
|
||||||
|
ansible.builtin.find:
|
||||||
|
paths: /etc/apt
|
||||||
|
patterns: '*.list'
|
||||||
|
register: list_files
|
||||||
|
|
||||||
|
- name: Disable one-line-formatted sources
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak"
|
||||||
|
environment:
|
||||||
|
LC_ALL: C
|
||||||
|
loop: "{{ list_files.files }}"
|
||||||
|
register: rename_cmd
|
||||||
|
changed_when: "'renamed' in rename_cmd.stdout"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Apt update
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: apt_basic_list is changed or apt_security_sources is changed
|
18
apt/tasks/basics.oneline.yml
Normal file
18
apt/tasks/basics.oneline.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Change basics repositories
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ ansible_distribution_release }}_basics.list.j2"
|
||||||
|
dest: /etc/apt/sources.list
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
register: apt_basic_list
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Apt update
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: apt_basic_list is changed
|
|
@ -1,33 +1,13 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Change basics repositories
|
# Backward compatibility task file
|
||||||
template:
|
|
||||||
src: "{{ ansible_distribution_release }}_basics.list.j2"
|
|
||||||
dest: /etc/apt/sources.list
|
|
||||||
mode: "0644"
|
|
||||||
force: yes
|
|
||||||
register: apt_basic_list
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Clean GANDI sources.list.d/debian-security.list
|
- name: Install basics repositories (Debian <12)
|
||||||
file:
|
ansible.builtin.import_tasks: basics.oneline.yml
|
||||||
path: '{{ item }}'
|
when:
|
||||||
state: absent
|
- ansible_distribution_major_version is version('12', '<')
|
||||||
loop:
|
|
||||||
- /etc/apt/sources.list.d/debian-security.list
|
|
||||||
- /etc/apt/sources.list.d/debian-jessie.list
|
|
||||||
- /etc/apt/sources.list.d/debian-stretch.list
|
|
||||||
- /etc/apt/sources.list.d/debian-buster.list
|
|
||||||
- /etc/apt/sources.list.d/debian-bullseye.list
|
|
||||||
- /etc/apt/sources.list.d/debian-update.list
|
|
||||||
when: apt_clean_gandi_sourceslist | bool
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Apt update
|
- name: Install basics repositories (Debian >=12)
|
||||||
apt:
|
ansible.builtin.import_tasks: basics.deb822.yml
|
||||||
update_cache: yes
|
when:
|
||||||
when: apt_basic_list is changed
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
tags:
|
|
||||||
- apt
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Evolinux config for APT
|
- name: Evolinux config for APT
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/apt/apt.conf.d/z-evolinux.conf
|
dest: /etc/apt/apt.conf.d/z-evolinux.conf
|
||||||
line: "{{ item.line }}"
|
line: "{{ item.line }}"
|
||||||
regexp: "{{ item.regexp }}"
|
regexp: "{{ item.regexp }}"
|
||||||
|
@ -12,12 +12,12 @@
|
||||||
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
||||||
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
||||||
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
|
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
|
||||||
when: apt_evolinux_config | bool
|
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
when: apt_evolinux_config | bool
|
||||||
|
|
||||||
- name: DPkg invoke hooks
|
- name: DPkg invoke hooks
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/apt/apt.conf.d/z-evolinux.conf
|
dest: /etc/apt/apt.conf.d/z-evolinux.conf
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
create: yes
|
create: yes
|
||||||
|
@ -28,14 +28,14 @@
|
||||||
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
|
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
|
||||||
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
|
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
|
||||||
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
|
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
|
||||||
when: apt_hooks | bool
|
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
when: apt_hooks | bool
|
||||||
|
|
||||||
- name: Remove Aptitude
|
- name: Remove Aptitude
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: aptitude
|
name: aptitude
|
||||||
state: absent
|
state: absent
|
||||||
when: apt_remove_aptitude | bool
|
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
when: apt_remove_aptitude | bool
|
||||||
|
|
45
apt/tasks/evolix_public.deb822.yml
Normal file
45
apt/tasks/evolix_public.deb822.yml
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Look for legacy apt keyring
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /etc/apt/trusted.gpg
|
||||||
|
register: _trusted_gpg_keyring
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Evolix embedded GPG key is absent
|
||||||
|
ansible.builtin.apt_key:
|
||||||
|
id: "B8612B5D"
|
||||||
|
keyring: /etc/apt/trusted.gpg
|
||||||
|
state: absent
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
|
|
||||||
|
- name: Add Evolix GPG key
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: pub_evolix.asc
|
||||||
|
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||||
|
force: yes
|
||||||
|
mode: "0644"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Evolix public list is installed
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: evolix_public.sources.j2
|
||||||
|
dest: /etc/apt/sources.list.d/evolix_public.sources
|
||||||
|
force: yes
|
||||||
|
mode: "0640"
|
||||||
|
register: apt_evolix_public
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Apt update
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: apt_evolix_public is changed
|
45
apt/tasks/evolix_public.oneline.yml
Normal file
45
apt/tasks/evolix_public.oneline.yml
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Look for legacy apt keyring
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /etc/apt/trusted.gpg
|
||||||
|
register: _trusted_gpg_keyring
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Evolix embedded GPG key is absent
|
||||||
|
ansible.builtin.apt_key:
|
||||||
|
id: "B8612B5D"
|
||||||
|
keyring: /etc/apt/trusted.gpg
|
||||||
|
state: absent
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
|
|
||||||
|
- name: Add Evolix GPG key
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: pub_evolix.asc
|
||||||
|
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||||
|
force: yes
|
||||||
|
mode: "0644"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Evolix public list is installed
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: evolix_public.list.j2
|
||||||
|
dest: /etc/apt/sources.list.d/evolix_public.list
|
||||||
|
force: yes
|
||||||
|
mode: "0640"
|
||||||
|
register: apt_evolix_public
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Apt update
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: apt_evolix_public is changed
|
|
@ -1,45 +1,13 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Look for legacy apt keyring
|
# Backward compatibility task file
|
||||||
stat:
|
|
||||||
path: /etc/apt/trusted.gpg
|
|
||||||
register: _trusted_gpg_keyring
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Evolix embedded GPG key is absent
|
- name: Install Evolix Public repositories (Debian <12)
|
||||||
apt_key:
|
ansible.builtin.import_tasks: evolix_public.oneline.yml
|
||||||
id: "B8612B5D"
|
when:
|
||||||
keyring: /etc/apt/trusted.gpg
|
- ansible_distribution_major_version is version('12', '<')
|
||||||
state: absent
|
|
||||||
when: _trusted_gpg_keyring.stat.exists
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Add Evolix GPG key
|
- name: Install Evolix Public repositories (Debian >=12)
|
||||||
copy:
|
ansible.builtin.import_tasks: evolix_public.deb822.yml
|
||||||
src: pub_evolix.asc
|
when:
|
||||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
force: yes
|
|
||||||
mode: "0644"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Evolix public list is installed
|
|
||||||
template:
|
|
||||||
src: evolix_public.list.j2
|
|
||||||
dest: /etc/apt/sources.list.d/evolix_public.list
|
|
||||||
force: yes
|
|
||||||
mode: "0640"
|
|
||||||
register: apt_evolix_public
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Apt update
|
|
||||||
apt:
|
|
||||||
update_cache: yes
|
|
||||||
when: apt_evolix_public is changed
|
|
||||||
tags:
|
|
||||||
- apt
|
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: "hold packages (apt)"
|
- name: "hold packages (apt)"
|
||||||
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
|
ansible.builtin.shell:
|
||||||
args:
|
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: apt_mark
|
register: apt_mark
|
||||||
|
@ -18,7 +18,7 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: "/etc/evolinux is present"
|
- name: "/etc/evolinux is present"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: /etc/evolinux
|
dest: /etc/evolinux
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
state: directory
|
state: directory
|
||||||
|
@ -26,7 +26,7 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: "hold packages (config)"
|
- name: "hold packages (config)"
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/evolinux/apt_hold_packages.cf
|
dest: /etc/evolinux/apt_hold_packages.cf
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
create: True
|
create: True
|
||||||
|
@ -36,8 +36,8 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: "unhold packages (apt)"
|
- name: "unhold packages (apt)"
|
||||||
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
|
ansible.builtin.shell:
|
||||||
args:
|
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: apt_mark
|
register: apt_mark
|
||||||
|
@ -48,7 +48,7 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: "unhold packages (config)"
|
- name: "unhold packages (config)"
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/evolinux/apt_hold_packages.cf
|
dest: /etc/evolinux/apt_hold_packages.cf
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
create: True
|
create: True
|
||||||
|
@ -58,7 +58,7 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: /usr/share/scripts exists
|
- name: /usr/share/scripts exists
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: /usr/share/scripts
|
dest: /usr/share/scripts
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -68,7 +68,7 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Check scripts is installed
|
- name: Check scripts is installed
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: check_held_packages.sh
|
src: check_held_packages.sh
|
||||||
dest: /usr/share/scripts/check_held_packages.sh
|
dest: /usr/share/scripts/check_held_packages.sh
|
||||||
force: yes
|
force: yes
|
||||||
|
@ -77,7 +77,8 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Check if Cron is installed
|
- name: Check if Cron is installed
|
||||||
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
|
ansible.builtin.shell:
|
||||||
|
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||||
register: is_cron
|
register: is_cron
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
|
@ -86,7 +87,7 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Check for held packages (script)
|
- name: Check for held packages (script)
|
||||||
cron:
|
ansible.builtin.cron:
|
||||||
cron_file: apt-hold-packages
|
cron_file: apt-hold-packages
|
||||||
name: check_held_packages
|
name: check_held_packages
|
||||||
job: "/usr/share/scripts/check_held_packages.sh"
|
job: "/usr/share/scripts/check_held_packages.sh"
|
||||||
|
@ -97,6 +98,6 @@
|
||||||
day: "{{ apt_check_hold_cron_day }}"
|
day: "{{ apt_check_hold_cron_day }}"
|
||||||
month: "{{ apt_check_hold_cron_month }}"
|
month: "{{ apt_check_hold_cron_month }}"
|
||||||
state: "present"
|
state: "present"
|
||||||
when: is_cron.rc == 0
|
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
when: is_cron.rc == 0
|
||||||
|
|
|
@ -1,52 +1,116 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "Compatibility check"
|
- name: "Compatibility check"
|
||||||
fail:
|
ansible.builtin.assert:
|
||||||
msg: only compatible with Debian >= 8
|
that:
|
||||||
when:
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
|
- ansible_distribution_major_version is version('8', '>=')
|
||||||
|
msg: Only compatible with Debian >= 8
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: "apt-transport-https is installed for https repositories (before Buster)"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- apt-transport-https
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: ansible_distribution_major_version is version('10', '<')
|
||||||
|
|
||||||
|
- name: "certificates are installed for https repositories"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- ca-certificates
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Custom configuration
|
- name: Custom configuration
|
||||||
include: config.yml
|
ansible.builtin.import_tasks: config.yml
|
||||||
when: apt_config | bool
|
when: apt_config | bool
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Install basics repositories
|
- name: Install basics repositories (Debian <12)
|
||||||
include: basics.yml
|
ansible.builtin.import_tasks: basics.oneline.yml
|
||||||
when: apt_install_basics | bool
|
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
when:
|
||||||
|
- apt_install_basics | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '<')
|
||||||
|
|
||||||
- name: Install APT Backports repository
|
- name: Install basics repositories (Debian >=12)
|
||||||
include: backports.yml
|
ansible.builtin.import_tasks: basics.deb822.yml
|
||||||
when: apt_install_backports | bool
|
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
when:
|
||||||
|
- apt_install_basics | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
- name: Install Evolix Public APT repository
|
- name: Install backports repositories (Debian <12)
|
||||||
include: evolix_public.yml
|
ansible.builtin.import_tasks: backports.oneline.yml
|
||||||
when: apt_install_evolix_public | bool
|
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
when:
|
||||||
|
- apt_install_backports | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '<')
|
||||||
|
|
||||||
|
# With Debian 12+ and the deb822 format of source files
|
||||||
|
# backports are always installed but enabled according to `apt_install_backports`
|
||||||
|
- name: Install backports repositories (Debian >=12)
|
||||||
|
ansible.builtin.import_tasks: backports.deb822.yml
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
|
||||||
|
- name: Install Evolix Public repositories (Debian <12)
|
||||||
|
ansible.builtin.import_tasks: evolix_public.oneline.yml
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when:
|
||||||
|
- apt_install_evolix_public | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '<')
|
||||||
|
|
||||||
|
- name: Install Evolix Public repositories (Debian >=12)
|
||||||
|
ansible.builtin.import_tasks: evolix_public.deb822.yml
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when:
|
||||||
|
- apt_install_evolix_public | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
- name: Clean GANDI sources
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: '{{ item }}'
|
||||||
|
state: absent
|
||||||
|
loop:
|
||||||
|
- /etc/apt/sources.list.d/debian-security.list
|
||||||
|
- /etc/apt/sources.list.d/debian-jessie.list
|
||||||
|
- /etc/apt/sources.list.d/debian-stretch.list
|
||||||
|
- /etc/apt/sources.list.d/debian-buster.list
|
||||||
|
- /etc/apt/sources.list.d/debian-bullseye.list
|
||||||
|
- /etc/apt/sources.list.d/debian-update.list
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: apt_clean_gandi_sourceslist | bool
|
||||||
|
|
||||||
|
|
||||||
- name: Install check for packages marked hold
|
- name: Install check for packages marked hold
|
||||||
include: hold_packages.yml
|
ansible.builtin.import_tasks: hold_packages.yml
|
||||||
when: apt_install_hold_packages | bool
|
when: apt_install_hold_packages | bool
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Updating APT cache
|
- name: Updating APT cache
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
changed_when: False
|
changed_when: False
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Upgrading system
|
- name: Upgrading system
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
upgrade: dist
|
upgrade: dist
|
||||||
when: apt_upgrade | bool
|
when: apt_upgrade | bool
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
---
|
---
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: /usr/share/scripts exists
|
- name: /usr/share/scripts exists
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: /usr/share/scripts
|
dest: /usr/share/scripts
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -13,7 +13,7 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Migration scripts are installed
|
- name: Migration scripts are installed
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: "/usr/share/scripts/{{ item }}"
|
dest: "/usr/share/scripts/{{ item }}"
|
||||||
force: yes
|
force: yes
|
||||||
|
@ -25,7 +25,8 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Exec migration script
|
- name: Exec migration script
|
||||||
command: /usr/share/scripts/deb822-migration.sh
|
ansible.builtin.command:
|
||||||
|
cmd: /usr/share/scripts/deb822-migration.sh
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
|
@ -1,18 +1,18 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: New APT keyrings directory is present
|
- name: New APT keyrings directory is present
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /etc/apt/keyrings
|
path: /etc/apt/keyrings
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: /usr/share/scripts exists
|
- name: /usr/share/scripts exists
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: /usr/share/scripts
|
dest: /usr/share/scripts
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -22,7 +22,7 @@
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: migration script is present
|
- name: migration script is present
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: move-apt-keyrings.sh
|
src: move-apt-keyrings.sh
|
||||||
dest: /usr/share/scripts/move-apt-keyrings.sh
|
dest: /usr/share/scripts/move-apt-keyrings.sh
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
@ -30,7 +30,8 @@
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: Move repository signing key
|
- name: Move repository signing key
|
||||||
command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
|
ansible.builtin.command:
|
||||||
|
cmd: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
|
||||||
loop:
|
loop:
|
||||||
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
|
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
|
||||||
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
|
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
|
||||||
|
@ -48,5 +49,5 @@
|
||||||
register: _cmd
|
register: _cmd
|
||||||
|
|
||||||
- name: Debug command
|
- name: Debug command
|
||||||
debug:
|
ansible.builtin.debug:
|
||||||
var: _cmd
|
var: _cmd
|
||||||
|
|
7
apt/templates/bookworm_backports.sources.j2
Normal file
7
apt/templates/bookworm_backports.sources.j2
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
Types: deb
|
||||||
|
URIs: http://mirror.evolix.org/debian
|
||||||
|
Suites: bullseye-backports
|
||||||
|
Components: {{ apt_backports_components | mandatory }}
|
||||||
|
Enabled: {{ apt_install_backports | bool | ternary('yes', 'no') }}
|
|
@ -1,5 +0,0 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
deb http://mirror.evolix.org/debian bookworm {{ apt_basics_components | mandatory }}
|
|
||||||
deb http://mirror.evolix.org/debian/ bookworm-updates {{ apt_basics_components | mandatory }}
|
|
||||||
deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }}
|
|
7
apt/templates/bookworm_basics.sources.j2
Normal file
7
apt/templates/bookworm_basics.sources.j2
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
Types: deb
|
||||||
|
URIs: http://mirror.evolix.org/debian
|
||||||
|
Suites: bookworm bookworm-updates
|
||||||
|
Components: {{ apt_basics_components | mandatory }}
|
||||||
|
Enabled: yes
|
7
apt/templates/bookworm_security.sources.j2
Normal file
7
apt/templates/bookworm_security.sources.j2
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
Types: deb
|
||||||
|
URIs: https://security.debian.org/debian-security
|
||||||
|
Suites: bookworm-security
|
||||||
|
Components: {{ apt_basics_components | mandatory }}
|
||||||
|
Enabled: yes
|
8
apt/templates/evolix_public.sources.j2
Normal file
8
apt/templates/evolix_public.sources.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
Types:deb
|
||||||
|
URIs: http://pub.evolix.org/evolix
|
||||||
|
Suites: {{ ansible_distribution_release }}
|
||||||
|
Components: main
|
||||||
|
Signed-by: {{ apt_keyring_dir }}/pub_evolix.asc
|
||||||
|
Enabled: yes
|
|
@ -1,21 +1,21 @@
|
||||||
---
|
---
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
daemon-reload: yes
|
daemon-reload: yes
|
||||||
|
|
||||||
|
|
||||||
- name: restart apparmor
|
- name: restart apparmor
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: apparmor
|
name: apparmor
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart bind
|
- name: restart bind
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: bind9
|
name: bind9
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart munin-node
|
- name: restart munin-node
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: munin-node
|
name: munin-node
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Set bind configuration for authoritative server
|
- name: Set bind configuration for authoritative server
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: named.conf.options_authoritative.j2
|
src: named.conf.options_authoritative.j2
|
||||||
dest: /etc/bind/named.conf.options
|
dest: /etc/bind/named.conf.options
|
||||||
owner: bind
|
owner: bind
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
|
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
|
||||||
- name: set chroot variables
|
- name: set chroot variables
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
bind_log_file: /var/log/bind.log
|
bind_log_file: /var/log/bind.log
|
||||||
bind_query_file: /var/log/bind_queries.log
|
bind_query_file: /var/log/bind_queries.log
|
||||||
bind_cache_dir: /var/cache/bind
|
bind_cache_dir: /var/cache/bind
|
||||||
|
@ -9,14 +9,15 @@
|
||||||
when: bind_chroot_set | bool
|
when: bind_chroot_set | bool
|
||||||
|
|
||||||
- name: Check AppArmor
|
- name: Check AppArmor
|
||||||
shell: systemctl is-active apparmor || systemctl is-enabled apparmor
|
ansible.builtin.shell:
|
||||||
|
cmd: systemctl is-active apparmor || systemctl is-enabled apparmor
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: check_apparmor
|
register: check_apparmor
|
||||||
|
|
||||||
- name: configure apparmor
|
- name: configure apparmor
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: apparmor.usr.sbin.named.j2
|
src: apparmor.usr.sbin.named.j2
|
||||||
dest: /etc/apparmor.d/usr.sbin.named
|
dest: /etc/apparmor.d/usr.sbin.named
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -27,20 +28,20 @@
|
||||||
when: check_apparmor.rc == 0
|
when: check_apparmor.rc == 0
|
||||||
|
|
||||||
- name: package are installed
|
- name: package are installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- bind9
|
- bind9
|
||||||
- dnstop
|
- dnstop
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- include: authoritative.yml
|
- ansible.builtin.include: authoritative.yml
|
||||||
when: bind_authoritative_server | bool
|
when: bind_authoritative_server | bool
|
||||||
|
|
||||||
- include: recursive.yml
|
- ansible.builtin.include: recursive.yml
|
||||||
when: bind_recursive_server | bool
|
when: bind_recursive_server | bool
|
||||||
|
|
||||||
- name: Create systemd service for Debian 8 (Jessie)
|
- name: Create systemd service for Debian 8 (Jessie)
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: bind9.service.jessie.j2
|
src: bind9.service.jessie.j2
|
||||||
dest: "{{ bind_systemd_service_path }}"
|
dest: "{{ bind_systemd_service_path }}"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -53,7 +54,7 @@
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: "touch {{ bind_log_file }} if non chroot"
|
- name: "touch {{ bind_log_file }} if non chroot"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ bind_log_file }}"
|
path: "{{ bind_log_file }}"
|
||||||
owner: bind
|
owner: bind
|
||||||
group: adm
|
group: adm
|
||||||
|
@ -62,7 +63,7 @@
|
||||||
when: not (bind_chroot_set | bool)
|
when: not (bind_chroot_set | bool)
|
||||||
|
|
||||||
- name: "touch {{ bind_query_file }} if non chroot"
|
- name: "touch {{ bind_query_file }} if non chroot"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ bind_query_file }}"
|
path: "{{ bind_query_file }}"
|
||||||
owner: bind
|
owner: bind
|
||||||
group: adm
|
group: adm
|
||||||
|
@ -71,7 +72,7 @@
|
||||||
when: not (bind_chroot_set | bool)
|
when: not (bind_chroot_set | bool)
|
||||||
|
|
||||||
- name: send chroot-bind.sh in /root
|
- name: send chroot-bind.sh in /root
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: chroot-bind.sh
|
src: chroot-bind.sh
|
||||||
dest: /root/chroot-bind.sh
|
dest: /root/chroot-bind.sh
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
|
@ -81,19 +82,20 @@
|
||||||
when: bind_chroot_set | bool
|
when: bind_chroot_set | bool
|
||||||
|
|
||||||
- name: exec chroot-bind.sh
|
- name: exec chroot-bind.sh
|
||||||
command: "/root/chroot-bind.sh"
|
ansible.builtin.command:
|
||||||
|
cmd: "/root/chroot-bind.sh"
|
||||||
register: chrootbind_run
|
register: chrootbind_run
|
||||||
changed_when: False
|
changed_when: False
|
||||||
when: bind_chroot_set | bool
|
when: bind_chroot_set | bool
|
||||||
|
|
||||||
- debug:
|
- ansible.builtin.debug:
|
||||||
var: chrootbind_run.stdout_lines
|
var: chrootbind_run.stdout_lines
|
||||||
when:
|
when:
|
||||||
- bind_chroot_set | bool
|
- bind_chroot_set | bool
|
||||||
- chrootbind_run.stdout | length > 0
|
- chrootbind_run.stdout | length > 0
|
||||||
|
|
||||||
- name: Modify OPTIONS in /etc/default/bind9 for chroot
|
- name: Modify OPTIONS in /etc/default/bind9 for chroot
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/default/bind9
|
dest: /etc/default/bind9
|
||||||
regexp: '^OPTIONS=.*'
|
regexp: '^OPTIONS=.*'
|
||||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
||||||
|
@ -101,7 +103,7 @@
|
||||||
when: bind_chroot_set | bool
|
when: bind_chroot_set | bool
|
||||||
|
|
||||||
- name: logrotate for bind
|
- name: logrotate for bind
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: logrotate_bind.j2
|
src: logrotate_bind.j2
|
||||||
dest: /etc/logrotate.d/bind9
|
dest: /etc/logrotate.d/bind9
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -110,4 +112,4 @@
|
||||||
force: yes
|
force: yes
|
||||||
notify: restart bind
|
notify: restart bind
|
||||||
|
|
||||||
- include: munin.yml
|
- ansible.builtin.include: munin.yml
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: is Munin present ?
|
- name: is Munin present ?
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /etc/munin/plugin-conf.d/munin-node
|
path: /etc/munin/plugin-conf.d/munin-node
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: munin_node_plugins_config
|
register: munin_node_plugins_config
|
||||||
|
@ -10,7 +10,7 @@
|
||||||
- munin
|
- munin
|
||||||
|
|
||||||
- name: Enable munin plugins for authoritative server
|
- name: Enable munin plugins for authoritative server
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: "/usr/share/munin/plugins/{{ item }}"
|
src: "/usr/share/munin/plugins/{{ item }}"
|
||||||
dest: "/etc/munin/plugins/{{ item }}"
|
dest: "/etc/munin/plugins/{{ item }}"
|
||||||
state: link
|
state: link
|
||||||
|
@ -18,31 +18,31 @@
|
||||||
- bind9
|
- bind9
|
||||||
- bind9_rndc
|
- bind9_rndc
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
when:
|
|
||||||
- bind_authoritative_server | bool
|
|
||||||
- munin_node_plugins_config.stat.exists
|
|
||||||
tags:
|
tags:
|
||||||
- bind
|
- bind
|
||||||
- munin
|
- munin
|
||||||
|
when:
|
||||||
|
- bind_authoritative_server | bool
|
||||||
|
- munin_node_plugins_config.stat.exists
|
||||||
|
|
||||||
- name: Enable munin plugins for recursive server
|
- name: Enable munin plugins for recursive server
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: "/usr/share/munin/plugins/{{ item }}"
|
src: "/usr/share/munin/plugins/{{ item }}"
|
||||||
dest: "/etc/munin/plugins/{{ item }}"
|
dest: "/etc/munin/plugins/{{ item }}"
|
||||||
state: link
|
state: link
|
||||||
loop:
|
loop:
|
||||||
- bind9
|
- bind9
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
|
tags:
|
||||||
|
- bind
|
||||||
|
- munin
|
||||||
when:
|
when:
|
||||||
- bind_recursive_server | bool
|
- bind_recursive_server | bool
|
||||||
- bind_query_file_enabled | bool
|
- bind_query_file_enabled | bool
|
||||||
- munin_node_plugins_config.stat.exists
|
- munin_node_plugins_config.stat.exists
|
||||||
tags:
|
|
||||||
- bind
|
|
||||||
- munin
|
|
||||||
|
|
||||||
- name: Add munin plugin configuration
|
- name: Add munin plugin configuration
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: munin-env_bind9.j2
|
src: munin-env_bind9.j2
|
||||||
dest: /etc/munin/plugin-conf.d/bind9
|
dest: /etc/munin/plugin-conf.d/bind9
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -50,7 +50,7 @@
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: yes
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
when: munin_node_plugins_config.stat.exists
|
|
||||||
tags:
|
tags:
|
||||||
- bind
|
- bind
|
||||||
- munin
|
- munin
|
||||||
|
when: munin_node_plugins_config.stat.exists
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
|
|
||||||
- name: Set bind configuration for recursive server
|
- name: Set bind configuration for recursive server
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: named.conf.options_recursive.j2
|
src: named.conf.options_recursive.j2
|
||||||
dest: /etc/bind/named.conf.options
|
dest: /etc/bind/named.conf.options
|
||||||
owner: bind
|
owner: bind
|
||||||
|
@ -12,7 +12,7 @@
|
||||||
notify: restart bind
|
notify: restart bind
|
||||||
|
|
||||||
- name: enable zones.rfc1918 for recursive server
|
- name: enable zones.rfc1918 for recursive server
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/bind/named.conf.local
|
dest: /etc/bind/named.conf.local
|
||||||
line: 'include "/etc/bind/zones.rfc1918";'
|
line: 'include "/etc/bind/zones.rfc1918";'
|
||||||
regexp: "zones.rfc1918"
|
regexp: "zones.rfc1918"
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- debug:
|
- ansible.builtin.debug:
|
||||||
var: ansible_lsb
|
var: ansible_lsb
|
||||||
|
|
||||||
# Force facts until Debian 12 is released because Ansible is dumb
|
# Force facts until Debian 12 is released because Ansible is dumb
|
||||||
- set_fact:
|
- ansible.builtin.set_fact:
|
||||||
ansible_distribution_major_version: 12
|
ansible_distribution_major_version: 12
|
||||||
ansible_distribution: "Debian"
|
ansible_distribution: "Debian"
|
||||||
ansible_distribution_release: "bookworm"
|
ansible_distribution_release: "bookworm"
|
||||||
when: "ansible_lsb.codename == 'bookworm'"
|
when: "'bookworm' in ansible_lsb.codename or 'bookworm' in ansible_lsb.description"
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
# Force facts until Debian 11 is released because Ansible is dumb
|
# Force facts until Debian 11 is released because Ansible is dumb
|
||||||
- set_fact:
|
- ansible.builtin.set_fact:
|
||||||
ansible_distribution_major_version: 11
|
ansible_distribution_major_version: 11
|
||||||
ansible_distribution: "Debian"
|
ansible_distribution: "Debian"
|
||||||
ansible_distribution_release: "bullseye"
|
ansible_distribution_release: "bullseye"
|
||||||
|
|
|
@ -1,23 +1,24 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: reload nginx
|
- name: reload nginx
|
||||||
service:
|
ansible.builtin.systemd:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: reload apache
|
- name: reload apache
|
||||||
service:
|
ansible.builtin.systemd:
|
||||||
name: apache2
|
name: apache2
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: reload haproxy
|
- name: reload haproxy
|
||||||
service:
|
ansible.builtin.systemd:
|
||||||
name: haproxy
|
name: haproxy
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: systemd daemon-reload
|
- name: systemd daemon-reload
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
|
|
||||||
- name: install letsencrypt-auto
|
- name: install letsencrypt-auto
|
||||||
command: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade
|
ansible.builtin.command:
|
||||||
|
cmd: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade
|
||||||
|
|
|
@ -1,18 +1,18 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Certbot work directory is present
|
- name: Certbot work directory is present
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: "{{ certbot_work_dir }}"
|
dest: "{{ certbot_work_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
- name: Check if Nginx is installed
|
- name: Check if Nginx is installed
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /etc/nginx
|
path: /etc/nginx
|
||||||
register: is_nginx
|
register: is_nginx
|
||||||
|
|
||||||
- name: ACME challenge for Nginx is installed
|
- name: ACME challenge for Nginx is installed
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: acme-challenge/nginx.conf.j2
|
src: acme-challenge/nginx.conf.j2
|
||||||
dest: /etc/nginx/snippets/letsencrypt.conf
|
dest: /etc/nginx/snippets/letsencrypt.conf
|
||||||
force: yes
|
force: yes
|
||||||
|
@ -20,32 +20,33 @@
|
||||||
when: is_nginx.stat.exists
|
when: is_nginx.stat.exists
|
||||||
|
|
||||||
- name: Check if Apache is installed
|
- name: Check if Apache is installed
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /usr/sbin/apachectl
|
path: /usr/sbin/apachectl
|
||||||
register: is_apache
|
register: is_apache
|
||||||
|
|
||||||
- name: ACME challenge for Apache
|
- name: ACME challenge for Apache
|
||||||
block:
|
block:
|
||||||
- name: ACME challenge for Apache is installed
|
- name: ACME challenge for Apache is installed
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: acme-challenge/apache.conf.j2
|
src: acme-challenge/apache.conf.j2
|
||||||
dest: /etc/apache2/conf-available/letsencrypt.conf
|
dest: /etc/apache2/conf-available/letsencrypt.conf
|
||||||
force: yes
|
force: yes
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
|
|
||||||
- name: ACME challenge for Apache is enabled
|
- name: ACME challenge for Apache is enabled
|
||||||
command: "a2enconf letsencrypt"
|
ansible.builtin.command:
|
||||||
|
cmd: "a2enconf letsencrypt"
|
||||||
register: command_result
|
register: command_result
|
||||||
changed_when: "'Enabling' in command_result.stderr"
|
changed_when: "'Enabling' in command_result.stderr"
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
when: is_apache.stat.exists
|
when: is_apache.stat.exists
|
||||||
|
|
||||||
- name: Check if HAProxy is installed
|
- name: Check if HAProxy is installed
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /etc/haproxy
|
path: /etc/haproxy
|
||||||
register: is_haproxy
|
register: is_haproxy
|
||||||
|
|
||||||
- name: ACME challenge for HAProxy is installed
|
- name: ACME challenge for HAProxy is installed
|
||||||
debug:
|
ansible.builtin.debug:
|
||||||
msg: "ACME challenge configuration for HAProxy must be configured manually"
|
msg: "ACME challenge configuration for HAProxy must be configured manually"
|
||||||
when: is_haproxy.stat.exists
|
when: is_haproxy.stat.exists
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: certbot package is removed
|
- name: certbot package is removed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: certbot
|
name: certbot
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
# copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto
|
# copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto
|
||||||
- name: Let's Encrypt script is present
|
- name: Let's Encrypt script is present
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: letsencrypt-auto
|
src: letsencrypt-auto
|
||||||
dest: /usr/local/bin/letsencrypt-auto
|
dest: /usr/local/bin/letsencrypt-auto
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
|
@ -20,22 +20,23 @@
|
||||||
notify: install letsencrypt-auto
|
notify: install letsencrypt-auto
|
||||||
|
|
||||||
- name: Check certbot script
|
- name: Check certbot script
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /usr/local/bin/certbot
|
path: /usr/local/bin/certbot
|
||||||
register: certbot_path
|
register: certbot_path
|
||||||
|
|
||||||
- name: Rename certbot script if present
|
- name: Rename certbot script if present
|
||||||
command: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak"
|
ansible.builtin.command:
|
||||||
|
cmd: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak"
|
||||||
when: certbot_path.stat.exists
|
when: certbot_path.stat.exists
|
||||||
|
|
||||||
- name: Let's Encrypt script is symlinked as certbot
|
- name: Let's Encrypt script is symlinked as certbot
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: "/usr/local/bin/letsencrypt-auto"
|
src: "/usr/local/bin/letsencrypt-auto"
|
||||||
dest: "/usr/local/bin/certbot"
|
dest: "/usr/local/bin/certbot"
|
||||||
state: link
|
state: link
|
||||||
|
|
||||||
- name: systemd artefacts are absent
|
- name: systemd artefacts are absent
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: "{{ item }}"
|
dest: "{{ item }}"
|
||||||
state: absent
|
state: absent
|
||||||
loop:
|
loop:
|
||||||
|
@ -45,14 +46,14 @@
|
||||||
notify: systemd daemon-reload
|
notify: systemd daemon-reload
|
||||||
|
|
||||||
- name: custom crontab is present
|
- name: custom crontab is present
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: cron_jessie
|
src: cron_jessie
|
||||||
dest: /etc/cron.d/certbot
|
dest: /etc/cron.d/certbot
|
||||||
force: yes
|
force: yes
|
||||||
when: certbot_custom_crontab | bool
|
when: certbot_custom_crontab | bool
|
||||||
|
|
||||||
- name: disable self-upgrade
|
- name: disable self-upgrade
|
||||||
ini_file:
|
community.general.ini_file:
|
||||||
dest: "/etc/letsencrypt/cli.ini"
|
dest: "/etc/letsencrypt/cli.ini"
|
||||||
section: null
|
section: null
|
||||||
option: "no-self-upgrade"
|
option: "no-self-upgrade"
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: certbot package is installed
|
- name: certbot package is installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: certbot
|
name: certbot
|
||||||
state: latest
|
state: latest
|
||||||
|
|
|
@ -1,28 +1,28 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "System compatibility checks"
|
- name: "System compatibility checks"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('8', '>=')
|
- ansible_distribution_major_version is version('8', '>=')
|
||||||
msg: only compatible with Debian 9+
|
msg: only compatible with Debian 9+
|
||||||
|
|
||||||
- name: Install legacy script on Debian 8
|
- name: Install legacy script on Debian 8
|
||||||
include: install-legacy.yml
|
ansible.builtin.include: install-legacy.yml
|
||||||
when:
|
when:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('9', '<')
|
- ansible_distribution_major_version is version('9', '<')
|
||||||
|
|
||||||
- name: Install package on Debian 9+
|
- name: Install package on Debian 9+
|
||||||
include: install-package.yml
|
ansible.builtin.include: install-package.yml
|
||||||
when:
|
when:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('9', '>=')
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
|
|
||||||
- include: acme-challenge.yml
|
- ansible.builtin.include: acme-challenge.yml
|
||||||
|
|
||||||
- name: Deploy hooks are present
|
- name: Deploy hooks are present
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: hooks/deploy/
|
src: hooks/deploy/
|
||||||
dest: /etc/letsencrypt/renewal-hooks/deploy/
|
dest: /etc/letsencrypt/renewal-hooks/deploy/
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
|
@ -30,7 +30,7 @@
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: Manual deploy hook is present
|
- name: Manual deploy hook is present
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: hooks/manual-deploy.sh
|
src: hooks/manual-deploy.sh
|
||||||
dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
|
dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
|
@ -38,7 +38,7 @@
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: "sync_remote is configured with servers"
|
- name: "sync_remote is configured with servers"
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
|
dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
|
||||||
regexp: "^servers="
|
regexp: "^servers="
|
||||||
line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\""
|
line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\""
|
||||||
|
@ -46,14 +46,15 @@
|
||||||
|
|
||||||
# begining of backward compatibility tasks
|
# begining of backward compatibility tasks
|
||||||
- name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present
|
- name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present
|
||||||
command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
|
ansible.builtin.command:
|
||||||
|
cmd: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
|
||||||
args:
|
args:
|
||||||
removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
|
removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
|
||||||
creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh
|
creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh
|
||||||
# end of backward compatibility tasks
|
# end of backward compatibility tasks
|
||||||
|
|
||||||
- name: "certbot lock is ignored by Git"
|
- name: "certbot lock is ignored by Git"
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/.gitignore
|
dest: /etc/.gitignore
|
||||||
line: letsencrypt/.certbot.lock
|
line: letsencrypt/.certbot.lock
|
||||||
create: yes
|
create: yes
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: restart clamav
|
- name: restart clamav
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: clamav-daemon
|
name: clamav-daemon
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: configure clamav-daemon
|
- name: configure clamav-daemon
|
||||||
debconf:
|
ansible.builtin.debconf:
|
||||||
name: clamav-daemon
|
name: clamav-daemon
|
||||||
question: "{{ item.key }}"
|
question: "{{ item.key }}"
|
||||||
value: "{{ item.value }}"
|
value: "{{ item.value }}"
|
||||||
|
@ -52,7 +52,7 @@
|
||||||
- clamav
|
- clamav
|
||||||
|
|
||||||
- name: configure clamav-freshclam
|
- name: configure clamav-freshclam
|
||||||
debconf:
|
ansible.builtin.debconf:
|
||||||
name: clamav-freshclam
|
name: clamav-freshclam
|
||||||
question: "{{ item.key }}"
|
question: "{{ item.key }}"
|
||||||
value: "{{ item.value }}"
|
value: "{{ item.value }}"
|
||||||
|
@ -73,7 +73,7 @@
|
||||||
- clamav
|
- clamav
|
||||||
|
|
||||||
- name: install ClamAV
|
- name: install ClamAV
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- clamav-daemon
|
- clamav-daemon
|
||||||
- clamav
|
- clamav
|
||||||
|
@ -92,7 +92,7 @@
|
||||||
- clamav
|
- clamav
|
||||||
|
|
||||||
- name: add clamav user to amavis group
|
- name: add clamav user to amavis group
|
||||||
user:
|
ansible.builtin.user:
|
||||||
name: clamav
|
name: clamav
|
||||||
groups: amavis
|
groups: amavis
|
||||||
append: True
|
append: True
|
||||||
|
@ -100,7 +100,7 @@
|
||||||
- clamav
|
- clamav
|
||||||
|
|
||||||
- name: allow supplementary groups
|
- name: allow supplementary groups
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/clamav/clamd.conf
|
dest: /etc/clamav/clamd.conf
|
||||||
regexp: 'AllowSupplementaryGroups false'
|
regexp: 'AllowSupplementaryGroups false'
|
||||||
replace: 'AllowSupplementaryGroups true'
|
replace: 'AllowSupplementaryGroups true'
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: restart dhcp
|
- name: restart dhcp
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: isc-dhcp-server
|
name: isc-dhcp-server
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
- name: ensure packages are installed
|
- name: ensure packages are installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: isc-dhcp-server
|
name: isc-dhcp-server
|
||||||
state: present
|
state: present
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
daemon-reload: yes
|
daemon-reload: yes
|
||||||
|
|
||||||
- name: restart docker
|
- name: restart docker
|
||||||
service:
|
ansible.builtin.systemd:
|
||||||
name: docker
|
name: docker
|
||||||
state: restarted
|
state: restarted
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# This role installs the docker daemon
|
# This role installs the docker daemon
|
||||||
---
|
---
|
||||||
- name: Remove older docker packages
|
- name: Remove older docker packages
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- docker
|
- docker
|
||||||
- docker-engine
|
- docker-engine
|
||||||
|
@ -9,15 +9,21 @@
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: Install source requirements
|
- name: Install source requirements
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- apt-transport-https
|
|
||||||
- ca-certificates
|
- ca-certificates
|
||||||
- gnupg2
|
- gnupg2
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: Install apt-transport-https (Debian <10)
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- apt-transport-https
|
||||||
|
state: present
|
||||||
|
when: ansible_distribution_major_version is version('10', '<')
|
||||||
|
|
||||||
- name: Add Docker's official GPG key
|
- name: Add Docker's official GPG key
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: docker-debian.asc
|
src: docker-debian.asc
|
||||||
dest: "{{ apt_keyring_dir }}/docker-debian.asc"
|
dest: "{{ apt_keyring_dir }}/docker-debian.asc"
|
||||||
force: yes
|
force: yes
|
||||||
|
@ -25,53 +31,61 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: Add Docker repository
|
- name: Add Docker repository (Debian <12)
|
||||||
apt_repository:
|
ansible.builtin.apt_repository:
|
||||||
repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
||||||
|
filename: docker
|
||||||
state: present
|
state: present
|
||||||
filename: docker.list
|
update_cache: yes
|
||||||
|
when: ansible_distribution_major_version is version('12', '<')
|
||||||
|
|
||||||
- name: Drop unsigned Docker repository
|
- name: Add Docker repository (Debian >=12)
|
||||||
apt_repository:
|
ansible.builtin.template:
|
||||||
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
src: docker.sources.j2
|
||||||
state: absent
|
dest: /etc/apt/sources.list.d/docker.sources
|
||||||
filename: docker.list
|
state: present
|
||||||
|
register: docker_sources
|
||||||
|
when: ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
- name: Update APT cache
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
when: docker_sources is changed
|
||||||
|
|
||||||
- name: Install Docker
|
- name: Install Docker
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- docker-ce
|
- docker-ce
|
||||||
- docker-ce-cli
|
- docker-ce-cli
|
||||||
- containerd.io
|
- containerd.io
|
||||||
update_cache: yes
|
|
||||||
|
|
||||||
- name: python-docker is installed
|
- name: python-docker is installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: python-docker
|
name: python-docker
|
||||||
state: present
|
state: present
|
||||||
when: ansible_python_version is version('3', '<')
|
when: ansible_python_version is version('3', '<')
|
||||||
|
|
||||||
- name: python3-docker is installed
|
- name: python3-docker is installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: python3-docker
|
name: python3-docker
|
||||||
state: present
|
state: present
|
||||||
when: ansible_python_version is version('3', '>=')
|
when: ansible_python_version is version('3', '>=')
|
||||||
|
|
||||||
- name: Copy Docker daemon configuration file
|
- name: Copy Docker daemon configuration file
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: daemon.json.j2
|
src: daemon.json.j2
|
||||||
dest: /etc/docker/daemon.json
|
dest: /etc/docker/daemon.json
|
||||||
notify: restart docker
|
notify: restart docker
|
||||||
|
|
||||||
- name: Creating Docker tmp directory
|
- name: Creating Docker tmp directory
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ docker_tmpdir }}"
|
path: "{{ docker_tmpdir }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
|
|
||||||
- name: Creating Docker TLS directory
|
- name: Creating Docker TLS directory
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ docker_tls_path }}"
|
path: "{{ docker_tls_path }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
@ -79,7 +93,7 @@
|
||||||
when: docker_tls_enabled | bool
|
when: docker_tls_enabled | bool
|
||||||
|
|
||||||
- name: Copy shellpki utility to Docker TLS directory
|
- name: Copy shellpki utility to Docker TLS directory
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "{{ item }}.j2"
|
src: "{{ item }}.j2"
|
||||||
dest: "{{ docker_tls_path }}/{{ item }}"
|
dest: "{{ docker_tls_path }}/{{ item }}"
|
||||||
mode: "0744"
|
mode: "0744"
|
||||||
|
@ -89,12 +103,13 @@
|
||||||
when: docker_tls_enabled | bool
|
when: docker_tls_enabled | bool
|
||||||
|
|
||||||
- name: Check if certs are already created
|
- name: Check if certs are already created
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ docker_tls_path }}/certs"
|
path: "{{ docker_tls_path }}/certs"
|
||||||
register: tls_certs_stat
|
register: tls_certs_stat
|
||||||
|
|
||||||
- name: Creating a CA, server key
|
- name: Creating a CA, server key
|
||||||
command: "{{ docker_tls_path }}/shellpki.sh init"
|
ansible.builtin.command:
|
||||||
|
cmd: "{{ docker_tls_path }}/shellpki.sh init"
|
||||||
when:
|
when:
|
||||||
- docker_tls_enabled | bool
|
- docker_tls_enabled | bool
|
||||||
- not tls_certs_stat.stat.isdir
|
- not tls_certs_stat.stat.isdir
|
||||||
|
|
8
docker-host/templates/docker.sources.j2
Normal file
8
docker-host/templates/docker.sources.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
Types: deb
|
||||||
|
URIs: https://download.docker.com/linux/debian
|
||||||
|
Suites: {{ ansible_distribution_release }}
|
||||||
|
Components: stable
|
||||||
|
Signed-by: {{ apt_keyring_dir }}/docker-debian.asc
|
||||||
|
Enabled: yes
|
|
@ -1,16 +1,16 @@
|
||||||
---
|
---
|
||||||
- name: restart dovecot
|
- name: restart dovecot
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: dovecot
|
name: dovecot
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: reload dovecot
|
- name: reload dovecot
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: dovecot
|
name: dovecot
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: restart log2mail
|
- name: restart log2mail
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: log2mail
|
name: log2mail
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
- name: ensure packages are installed
|
- name: ensure packages are installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- dovecot-ldap
|
- dovecot-ldap
|
||||||
- dovecot-imapd
|
- dovecot-imapd
|
||||||
|
@ -11,12 +11,12 @@
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
- name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
|
- name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
|
||||||
openssl_dhparam:
|
community.crypto.openssl_dhparam:
|
||||||
path: /etc/ssl/dhparams.pem
|
path: /etc/ssl/dhparams.pem
|
||||||
size: 4096
|
size: 4096
|
||||||
|
|
||||||
- name: disable pam auth
|
- name: disable pam auth
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/dovecot/conf.d/10-auth.conf
|
dest: /etc/dovecot/conf.d/10-auth.conf
|
||||||
regexp: "[^#]!include auth-system.conf.ext"
|
regexp: "[^#]!include auth-system.conf.ext"
|
||||||
replace: "#!include auth-system.conf.ext"
|
replace: "#!include auth-system.conf.ext"
|
||||||
|
@ -24,7 +24,7 @@
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
- name: update ldap auth
|
- name: update ldap auth
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/dovecot/dovecot-ldap.conf.ext
|
dest: /etc/dovecot/dovecot-ldap.conf.ext
|
||||||
line: "{{ item.key }} = {{ item.value }}"
|
line: "{{ item.key }} = {{ item.value }}"
|
||||||
regexp: "^#*{{ item.key }}"
|
regexp: "^#*{{ item.key }}"
|
||||||
|
@ -43,7 +43,7 @@
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
- name: create vmail group
|
- name: create vmail group
|
||||||
group:
|
ansible.builtin.group:
|
||||||
name: vmail
|
name: vmail
|
||||||
gid: "{{ dovecot_vmail_gid }}"
|
gid: "{{ dovecot_vmail_gid }}"
|
||||||
system: True
|
system: True
|
||||||
|
@ -51,7 +51,7 @@
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
- name: create vmail user
|
- name: create vmail user
|
||||||
user:
|
ansible.builtin.user:
|
||||||
name: vmail
|
name: vmail
|
||||||
group: vmail
|
group: vmail
|
||||||
uid: "{{ dovecot_vmail_uid }}"
|
uid: "{{ dovecot_vmail_uid }}"
|
||||||
|
@ -61,7 +61,7 @@
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
- name: deploy evolix config
|
- name: deploy evolix config
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: z-evolinux-defaults.conf.j2
|
src: z-evolinux-defaults.conf.j2
|
||||||
dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf
|
dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
@ -70,7 +70,7 @@
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
- name: deploy file for custom configuration
|
- name: deploy file for custom configuration
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: zzz-evolinux-custom.conf.j2
|
src: zzz-evolinux-custom.conf.j2
|
||||||
dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf
|
dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
@ -78,18 +78,18 @@
|
||||||
tags:
|
tags:
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
- include: munin.yml
|
- ansible.builtin.include: munin.yml
|
||||||
tags:
|
tags:
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
- name: log2mail is installed
|
- name: log2mail is installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: log2mail
|
name: log2mail
|
||||||
state: present
|
state: present
|
||||||
tags: dovecot
|
tags: dovecot
|
||||||
|
|
||||||
- name: dovecot is configured in log2mail
|
- name: dovecot is configured in log2mail
|
||||||
blockinfile:
|
ansible.builtin.blockinfile:
|
||||||
path: /etc/log2mail/config/mail.conf
|
path: /etc/log2mail/config/mail.conf
|
||||||
create: true
|
create: true
|
||||||
owner: log2mail
|
owner: log2mail
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: is Munin present ?
|
- name: is Munin present ?
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /etc/munin/plugin-conf.d/munin-node
|
path: /etc/munin/plugin-conf.d/munin-node
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: munin_node_plugins_config
|
register: munin_node_plugins_config
|
||||||
|
@ -9,13 +9,13 @@
|
||||||
- name: Munin plugins are present and configured
|
- name: Munin plugins are present and configured
|
||||||
block:
|
block:
|
||||||
- name: Install munin plugin
|
- name: Install munin plugin
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: munin_plugin
|
src: munin_plugin
|
||||||
dest: /etc/munin/plugins/dovecot
|
dest: /etc/munin/plugins/dovecot
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
- name: Install munin config
|
- name: Install munin config
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: munin_config
|
src: munin_config
|
||||||
dest: /etc/munin/plugin-conf.d/dovecot
|
dest: /etc/munin/plugin-conf.d/dovecot
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: restart munin-node
|
- name: restart munin-node
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: munin-node
|
name: munin-node
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- include: packages.yml
|
- ansible.builtin.include: packages.yml
|
||||||
|
|
||||||
- include: munin.yml
|
- ansible.builtin.include: munin.yml
|
||||||
|
|
||||||
- include: nagios.yml
|
- ansible.builtin.include: nagios.yml
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Check if Munin plugins exists
|
- name: Check if Munin plugins exists
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /etc/munin/plugins/
|
path: /etc/munin/plugins/
|
||||||
register: munin_plugins_dir
|
register: munin_plugins_dir
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
@ -10,7 +10,7 @@
|
||||||
|
|
||||||
# https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/drbd/drbd
|
# https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/drbd/drbd
|
||||||
- name: Get Munin plugin
|
- name: Get Munin plugin
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: munin/drbd-plugin
|
src: munin/drbd-plugin
|
||||||
dest: /etc/munin/plugins/drbd
|
dest: /etc/munin/plugins/drbd
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
- drbd
|
- drbd
|
||||||
|
|
||||||
- name: Copy Munin plugin conf
|
- name: Copy Munin plugin conf
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: munin/drbd-config
|
src: munin/drbd-config
|
||||||
dest: /etc/munin/plugin-conf.d/drbd
|
dest: /etc/munin/plugin-conf.d/drbd
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
|
@ -1,21 +1,21 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Check if Nagios is installed
|
- name: Check if Nagios is installed
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /usr/local/lib/nagios/plugins/
|
path: /usr/local/lib/nagios/plugins/
|
||||||
register: nagios_plugins_dir
|
register: nagios_plugins_dir
|
||||||
check_mode: no
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- drbd
|
- drbd
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
tags:
|
tags:
|
||||||
- drbd
|
- drbd
|
||||||
|
|
||||||
# https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=3367&cf_id=30
|
# https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=3367&cf_id=30
|
||||||
- name: Install Nagios plugin
|
- name: Install Nagios plugin
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "nagios/check_drbd"
|
src: "nagios/check_drbd"
|
||||||
dest: "/usr/local/lib/nagios/plugins/check_drbd"
|
dest: "/usr/local/lib/nagios/plugins/check_drbd"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
- name: Install dependency
|
- name: Install dependency
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- drbd-utils
|
- drbd-utils
|
||||||
- lvm2
|
- lvm2
|
||||||
|
@ -7,7 +7,7 @@
|
||||||
- drbd
|
- drbd
|
||||||
|
|
||||||
- name: Enable drbd.service
|
- name: Enable drbd.service
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: drbd
|
name: drbd
|
||||||
enabled: yes
|
enabled: yes
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: restart elasticsearch
|
- name: restart elasticsearch
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
name: elasticsearch
|
name: elasticsearch
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: elasticsearch_additional_scripts_dir is search("/usr")
|
when: elasticsearch_additional_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: "{{ elasticsearch_additional_scripts_dir }} exists"
|
- name: "{{ elasticsearch_additional_scripts_dir }} exists"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: "{{ elasticsearch_additional_scripts_dir }}"
|
dest: "{{ elasticsearch_additional_scripts_dir }}"
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -13,7 +13,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Plugins upgrade script is installed
|
- name: Plugins upgrade script is installed
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: upgrade_elasticsearch_plugins.sh
|
src: upgrade_elasticsearch_plugins.sh
|
||||||
dest: "{{ elasticsearch_additional_scripts_dir }}/upgrade_elasticsearch_plugins.sh"
|
dest: "{{ elasticsearch_additional_scripts_dir }}/upgrade_elasticsearch_plugins.sh"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
36
elasticsearch/tasks/apt_sources.yml
Normal file
36
elasticsearch/tasks/apt_sources.yml
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
---
|
||||||
|
- name: APT https transport is enabled (Debian <10)
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: apt-transport-https
|
||||||
|
state: present
|
||||||
|
when: ansible_distribution_major_version is version('10', '<')
|
||||||
|
|
||||||
|
- name: Elastic GPG key is installed
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: elastic.asc
|
||||||
|
dest: "{{ apt_keyring_dir }}/elastic.asc"
|
||||||
|
force: yes
|
||||||
|
mode: "0644"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Add Elastic repository (Debian <12)
|
||||||
|
ansible.builtin.apt_repository:
|
||||||
|
repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
|
||||||
|
filename: elastic
|
||||||
|
state: present
|
||||||
|
update_cache: yes
|
||||||
|
when: ansible_distribution_major_version is version('12', '<')
|
||||||
|
|
||||||
|
- name: Add Elastic repository (Debian >=12)
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: elastic.sources.j2
|
||||||
|
dest: /etc/apt/sources.list.d/elastic.sources
|
||||||
|
state: present
|
||||||
|
register: elastic_sources
|
||||||
|
when: ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
- name: Update APT cache
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
when: elastic_sources is changed
|
|
@ -1,7 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Read maximum map count
|
- name: Read maximum map count
|
||||||
command: "sysctl -n vm.max_map_count"
|
ansible.builtin.command:
|
||||||
|
cmd: "sysctl -n vm.max_map_count"
|
||||||
register: max_map_count
|
register: max_map_count
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
@ -9,7 +10,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Maximum map count check
|
- name: Maximum map count check
|
||||||
sysctl:
|
ansible.posix.sysctl:
|
||||||
name: vm.max_map_count
|
name: vm.max_map_count
|
||||||
value: 262144
|
value: 262144
|
||||||
sysctl_file: /etc/sysctl.d/elasticsearch.conf
|
sysctl_file: /etc/sysctl.d/elasticsearch.conf
|
||||||
|
@ -18,7 +19,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: bootstrap.memory_lock
|
- name: bootstrap.memory_lock
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "bootstrap.memory_lock: true"
|
line: "bootstrap.memory_lock: true"
|
||||||
regexp: "^bootstrap.memory_lock:"
|
regexp: "^bootstrap.memory_lock:"
|
||||||
|
@ -27,12 +28,12 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Create a system config directory for systemd overrides
|
- name: Create a system config directory for systemd overrides
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /etc/systemd/system/elasticsearch.service.d
|
path: /etc/systemd/system/elasticsearch.service.d
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Override memory config in systemd unit
|
- name: Override memory config in systemd unit
|
||||||
ini_file:
|
community.general.ini_file:
|
||||||
dest: /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf
|
dest: /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf
|
||||||
section: Service
|
section: Service
|
||||||
option: "LimitMEMLOCK"
|
option: "LimitMEMLOCK"
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Configure cluster name
|
- name: Configure cluster name
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "cluster.name: {{ elasticsearch_cluster_name }}"
|
line: "cluster.name: {{ elasticsearch_cluster_name }}"
|
||||||
regexp: "^cluster.name:"
|
regexp: "^cluster.name:"
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure node name
|
- name: Configure node name
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "node.name: {{ elasticsearch_node_name }}"
|
line: "node.name: {{ elasticsearch_node_name }}"
|
||||||
regexp: "^node.name:"
|
regexp: "^node.name:"
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure network host
|
- name: Configure network host
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "network.host: {{ elasticsearch_network_host }}"
|
line: "network.host: {{ elasticsearch_network_host }}"
|
||||||
regexp: "^network.host:"
|
regexp: "^network.host:"
|
||||||
|
@ -30,7 +30,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure network publish_host
|
- name: Configure network publish_host
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
|
line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
|
||||||
regexp: "^network.publish_host:"
|
regexp: "^network.publish_host:"
|
||||||
|
@ -40,7 +40,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure http publish_host
|
- name: Configure http publish_host
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
|
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
|
||||||
regexp: "^http.publish_host:"
|
regexp: "^http.publish_host:"
|
||||||
|
@ -50,7 +50,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure discovery seed hosts
|
- name: Configure discovery seed hosts
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}"
|
line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}"
|
||||||
regexp: "^discovery.seed_hosts:"
|
regexp: "^discovery.seed_hosts:"
|
||||||
|
@ -59,7 +59,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure empty discovery seed hosts
|
- name: Configure empty discovery seed hosts
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
regexp: "^discovery.seed_hosts:"
|
regexp: "^discovery.seed_hosts:"
|
||||||
state: absent
|
state: absent
|
||||||
|
@ -68,7 +68,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure initial master nodes
|
- name: Configure initial master nodes
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "cluster.initial_master_nodes: {{ elasticsearch_cluster_initial_master_nodes | to_yaml(default_flow_style=True) }}"
|
line: "cluster.initial_master_nodes: {{ elasticsearch_cluster_initial_master_nodes | to_yaml(default_flow_style=True) }}"
|
||||||
regexp: "^cluster.initial_master_nodes:"
|
regexp: "^cluster.initial_master_nodes:"
|
||||||
|
@ -77,7 +77,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure empty initial master nodes
|
- name: Configure empty initial master nodes
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
regexp: "^cluster.initial_master_nodes:"
|
regexp: "^cluster.initial_master_nodes:"
|
||||||
state: absent
|
state: absent
|
||||||
|
@ -86,7 +86,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure RESTART_ON_UPGRADE
|
- name: Configure RESTART_ON_UPGRADE
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/default/elasticsearch
|
dest: /etc/default/elasticsearch
|
||||||
line: "RESTART_ON_UPGRADE={{ elasticsearch_restart_on_upgrade | bool | ternary('true','false') }}"
|
line: "RESTART_ON_UPGRADE={{ elasticsearch_restart_on_upgrade | bool | ternary('true','false') }}"
|
||||||
regexp: "^RESTART_ON_UPGRADE="
|
regexp: "^RESTART_ON_UPGRADE="
|
||||||
|
@ -95,7 +95,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: JVM Heap size (min) is set
|
- name: JVM Heap size (min) is set
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
|
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
|
||||||
regexp: "^-Xms"
|
regexp: "^-Xms"
|
||||||
line: "-Xms{{ elasticsearch_jvm_xms }}"
|
line: "-Xms{{ elasticsearch_jvm_xms }}"
|
||||||
|
@ -107,7 +107,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: JVM Heap size (max) is set
|
- name: JVM Heap size (max) is set
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
|
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
|
||||||
regexp: "^-Xmx"
|
regexp: "^-Xmx"
|
||||||
line: "-Xmx{{ elasticsearch_jvm_xmx }}"
|
line: "-Xmx{{ elasticsearch_jvm_xmx }}"
|
||||||
|
@ -119,7 +119,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Disable garbage collector logs (JDK >= 9)
|
- name: Disable garbage collector logs (JDK >= 9)
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/jvm.options
|
dest: /etc/elasticsearch/jvm.options
|
||||||
regexp: "Xlog:gc"
|
regexp: "Xlog:gc"
|
||||||
line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m"
|
line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m"
|
||||||
|
@ -130,7 +130,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure cluster members
|
- name: Configure cluster members
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}"
|
line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}"
|
||||||
regexp: "^discovery.zen.ping.unicast.hosts:"
|
regexp: "^discovery.zen.ping.unicast.hosts:"
|
||||||
|
@ -140,7 +140,7 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Configure minimum master nodes
|
- name: Configure minimum master nodes
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}"
|
line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}"
|
||||||
regexp: "^discovery.zen.minimum_master_nodes:"
|
regexp: "^discovery.zen.minimum_master_nodes:"
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Use the correct debian repository
|
- name: Use the correct debian repository
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
curator_debian_repository: '{% if ansible_distribution_release == "jessie" %}debian{% else %}debian9{% endif %}'
|
curator_debian_repository: '{% if ansible_distribution_release == "jessie" %}debian{% else %}debian9{% endif %}'
|
||||||
|
|
||||||
- name: Curator sources list is available
|
- name: Curator sources list is available
|
||||||
apt_repository:
|
ansible.builtin.apt_repository:
|
||||||
repo: "deb https://packages.elastic.co/curator/5/{{ curator_debian_repository }} stable main"
|
repo: "deb https://packages.elastic.co/curator/5/{{ curator_debian_repository }} stable main"
|
||||||
filename: curator
|
filename: curator
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
@ -15,7 +15,7 @@
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
- name: Curator package is installed
|
- name: Curator package is installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: elasticsearch-curator
|
name: elasticsearch-curator
|
||||||
state: present
|
state: present
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -3,13 +3,13 @@
|
||||||
- name: Set real datadir value when customized
|
- name: Set real datadir value when customized
|
||||||
block:
|
block:
|
||||||
- name: "Is custom datadir present ?"
|
- name: "Is custom datadir present ?"
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ elasticsearch_custom_datadir }}"
|
path: "{{ elasticsearch_custom_datadir }}"
|
||||||
register: elasticsearch_custom_datadir_test
|
register: elasticsearch_custom_datadir_test
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
|
||||||
- name: "read the real datadir"
|
- name: "read the real datadir"
|
||||||
command: readlink -f /var/lib/elasticsearch
|
ansible.builtin.command: readlink -f /var/lib/elasticsearch
|
||||||
changed_when: False
|
changed_when: False
|
||||||
register: elasticsearch_current_real_datadir_test
|
register: elasticsearch_current_real_datadir_test
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
@ -22,23 +22,24 @@
|
||||||
- name: Datadir is moved to custom path
|
- name: Datadir is moved to custom path
|
||||||
block:
|
block:
|
||||||
- name: elasticsearch is stopped
|
- name: elasticsearch is stopped
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: elasticsearch
|
name: elasticsearch
|
||||||
state: stopped
|
state: stopped
|
||||||
|
|
||||||
- name: Move elasticsearch datadir to custom datadir
|
- name: Move elasticsearch datadir to custom datadir
|
||||||
command: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }}
|
ansible.builtin.command:
|
||||||
|
cmd: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }}
|
||||||
args:
|
args:
|
||||||
creates: "{{ elasticsearch_custom_datadir }}"
|
creates: "{{ elasticsearch_custom_datadir }}"
|
||||||
|
|
||||||
- name: Symlink {{ elasticsearch_custom_datadir }} to /var/lib/elasticsearch
|
- name: Symlink {{ elasticsearch_custom_datadir }} to /var/lib/elasticsearch
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: "{{ elasticsearch_custom_datadir }}"
|
src: "{{ elasticsearch_custom_datadir }}"
|
||||||
dest: '/var/lib/elasticsearch'
|
dest: '/var/lib/elasticsearch'
|
||||||
state: link
|
state: link
|
||||||
|
|
||||||
- name: elasticsearch is started
|
- name: elasticsearch is started
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: elasticsearch
|
name: elasticsearch
|
||||||
state: started
|
state: started
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Check if cron is installed
|
- name: Check if cron is installed
|
||||||
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
ansible.builtin.shell:
|
||||||
args:
|
cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
check_mode: no
|
check_mode: no
|
||||||
failed_when: False
|
failed_when: False
|
||||||
|
@ -10,7 +10,7 @@
|
||||||
register: is_cron_installed
|
register: is_cron_installed
|
||||||
|
|
||||||
- name: "log rotation script"
|
- name: "log rotation script"
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: rotate_elasticsearch_logs.j2
|
src: rotate_elasticsearch_logs.j2
|
||||||
dest: /etc/cron.daily/rotate_elasticsearch_logs
|
dest: /etc/cron.daily/rotate_elasticsearch_logs
|
||||||
owner: root
|
owner: root
|
||||||
|
|
|
@ -1,21 +1,21 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: packages.yml
|
- ansible.builtin.include: packages.yml
|
||||||
|
|
||||||
- include: configuration.yml
|
- ansible.builtin.include: configuration.yml
|
||||||
|
|
||||||
- include: bootstrap_checks.yml
|
- ansible.builtin.include: bootstrap_checks.yml
|
||||||
|
|
||||||
- include: tmpdir.yml
|
- ansible.builtin.include: tmpdir.yml
|
||||||
|
|
||||||
- include: datadir.yml
|
- ansible.builtin.include: datadir.yml
|
||||||
|
|
||||||
- include: logs.yml
|
- ansible.builtin.include: logs.yml
|
||||||
|
|
||||||
- include: additional_scripts.yml
|
- ansible.builtin.include: additional_scripts.yml
|
||||||
|
|
||||||
- include: plugin_head.yml
|
- ansible.builtin.include: plugin_head.yml
|
||||||
when: elasticsearch_plugin_head | bool
|
when: elasticsearch_plugin_head | bool
|
||||||
|
|
||||||
- include: curator.yml
|
- ansible.builtin.include: curator.yml
|
||||||
when: elasticsearch_curator | bool
|
when: elasticsearch_curator | bool
|
||||||
|
|
|
@ -1,73 +1,23 @@
|
||||||
---
|
---
|
||||||
|
- name: APT sources
|
||||||
- name: APT https transport is enabled
|
ansible.builtin.import_tasks: apt_sources.yml
|
||||||
apt:
|
args:
|
||||||
name: apt-transport-https
|
apply:
|
||||||
state: present
|
|
||||||
tags:
|
|
||||||
- elasticsearch
|
|
||||||
- packages
|
|
||||||
|
|
||||||
- name: Look for legacy apt keyring
|
|
||||||
stat:
|
|
||||||
path: /etc/apt/trusted.gpg
|
|
||||||
register: _trusted_gpg_keyring
|
|
||||||
tags:
|
|
||||||
- elasticsearch
|
|
||||||
- packages
|
|
||||||
|
|
||||||
- name: Elastic embedded GPG key is absent
|
|
||||||
apt_key:
|
|
||||||
id: "D88E42B4"
|
|
||||||
keyring: /etc/apt/trusted.gpg
|
|
||||||
state: absent
|
|
||||||
when: _trusted_gpg_keyring.stat.exists
|
|
||||||
tags:
|
|
||||||
- elasticsearch
|
|
||||||
- packages
|
|
||||||
|
|
||||||
- name: Elastic GPG key is installed
|
|
||||||
copy:
|
|
||||||
src: elastic.asc
|
|
||||||
dest: "{{ apt_keyring_dir }}/elastic.asc"
|
|
||||||
force: yes
|
|
||||||
mode: "0644"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
tags:
|
|
||||||
- elasticsearch
|
|
||||||
- packages
|
|
||||||
|
|
||||||
- name: Elastic sources list is available
|
|
||||||
apt_repository:
|
|
||||||
repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
|
|
||||||
filename: elastic
|
|
||||||
state: present
|
|
||||||
update_cache: yes
|
|
||||||
tags:
|
|
||||||
- elasticsearch
|
|
||||||
- packages
|
|
||||||
|
|
||||||
- name: Unsigned Elastic sources list is not available
|
|
||||||
apt_repository:
|
|
||||||
repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
|
|
||||||
filename: elastic
|
|
||||||
state: absent
|
|
||||||
update_cache: yes
|
|
||||||
tags:
|
tags:
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
- name: Elasticsearch is installed
|
- name: Elasticsearch is installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: elasticsearch
|
name: elasticsearch
|
||||||
state: present
|
state: present
|
||||||
|
update_cache: yes
|
||||||
tags:
|
tags:
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
- name: Elasticsearch service is enabled
|
- name: Elasticsearch service is enabled
|
||||||
service:
|
ansible.builtin.systemd:
|
||||||
name: elasticsearch
|
name: elasticsearch
|
||||||
enabled: yes
|
enabled: yes
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "User {{ elasticsearch_plugin_head_owner }} is present"
|
- name: "User {{ elasticsearch_plugin_head_owner }} is present"
|
||||||
user:
|
ansible.builtin.user:
|
||||||
name: "{{ elasticsearch_plugin_head_owner }}"
|
name: "{{ elasticsearch_plugin_head_owner }}"
|
||||||
home: "{{ elasticsearch_plugin_head_home }}"
|
home: "{{ elasticsearch_plugin_head_home }}"
|
||||||
createhome: yes
|
createhome: yes
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
- name: Head plugin is installed
|
- name: Head plugin is installed
|
||||||
block:
|
block:
|
||||||
- name: Head repository is checked-out
|
- name: Head repository is checked-out
|
||||||
git:
|
ansible.builtin.git:
|
||||||
repo: "https://github.com/mobz/elasticsearch-head.git"
|
repo: "https://github.com/mobz/elasticsearch-head.git"
|
||||||
dest: "{{ elasticsearch_plugin_head_clone_dir }}"
|
dest: "{{ elasticsearch_plugin_head_clone_dir }}"
|
||||||
clone: yes
|
clone: yes
|
||||||
|
@ -19,12 +19,12 @@
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
- name: Create tmpdir
|
- name: Create tmpdir
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: "{{ elasticsearch_plugin_head_tmp_dir }}"
|
dest: "{{ elasticsearch_plugin_head_tmp_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: NPM packages for head are installed
|
- name: NPM packages for head are installed
|
||||||
npm:
|
community.general.npm:
|
||||||
path: "{{ elasticsearch_plugin_head_clone_dir }}"
|
path: "{{ elasticsearch_plugin_head_clone_dir }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
@ -35,7 +35,7 @@
|
||||||
become: yes
|
become: yes
|
||||||
|
|
||||||
- name: Elasticsearch HTTP/CORS are enabled
|
- name: Elasticsearch HTTP/CORS are enabled
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "http.cors.enabled: true"
|
line: "http.cors.enabled: true"
|
||||||
regexp: "^http.cors.enabled:"
|
regexp: "^http.cors.enabled:"
|
||||||
|
@ -46,7 +46,7 @@
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
|
|
||||||
- name: Elasticsearch HTTP/CORS accepts all origins
|
- name: Elasticsearch HTTP/CORS accepts all origins
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
line: "http.cors.allow-origin: \"*\""
|
line: "http.cors.allow-origin: \"*\""
|
||||||
regexp: "^http.cors.allow-origin:"
|
regexp: "^http.cors.allow-origin:"
|
||||||
|
@ -57,7 +57,7 @@
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
|
|
||||||
- name: Install systemd unit
|
- name: Install systemd unit
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: elasticsearch-head.service.j2
|
src: elasticsearch-head.service.j2
|
||||||
dest: /etc/systemd/system/elasticsearch-head.service
|
dest: /etc/systemd/system/elasticsearch-head.service
|
||||||
tags:
|
tags:
|
||||||
|
@ -65,7 +65,7 @@
|
||||||
- systemd
|
- systemd
|
||||||
|
|
||||||
- name: Enable systemd unit
|
- name: Enable systemd unit
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: elasticsearch-head
|
name: elasticsearch-head
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Check if /tmp is noexec
|
- name: Check if /tmp is noexec
|
||||||
shell: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec"
|
ansible.builtin.shell:
|
||||||
|
cmd: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec"
|
||||||
register: fstab_tmp_noexec
|
register: fstab_tmp_noexec
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
@ -9,13 +10,13 @@
|
||||||
|
|
||||||
- name: Tmpdir is moved to custom path
|
- name: Tmpdir is moved to custom path
|
||||||
block:
|
block:
|
||||||
- set_fact:
|
- ansible.builtin.set_fact:
|
||||||
_elasticsearch_custom_tmpdir: "{{ elasticsearch_custom_tmpdir | default(elasticsearch_default_tmpdir, True) | mandatory }}"
|
_elasticsearch_custom_tmpdir: "{{ elasticsearch_custom_tmpdir | default(elasticsearch_default_tmpdir, True) | mandatory }}"
|
||||||
tags:
|
tags:
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
|
|
||||||
- name: "Create {{ _elasticsearch_custom_tmpdir }}"
|
- name: "Create {{ _elasticsearch_custom_tmpdir }}"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ _elasticsearch_custom_tmpdir }}"
|
path: "{{ _elasticsearch_custom_tmpdir }}"
|
||||||
owner: elasticsearch
|
owner: elasticsearch
|
||||||
group: elasticsearch
|
group: elasticsearch
|
||||||
|
@ -25,7 +26,7 @@
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
|
|
||||||
- name: change JVM tmpdir (< 6.x)
|
- name: change JVM tmpdir (< 6.x)
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
|
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
|
||||||
line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}"
|
line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}"
|
||||||
regexp: "^-Djava.io.tmpdir="
|
regexp: "^-Djava.io.tmpdir="
|
||||||
|
@ -40,7 +41,7 @@
|
||||||
when: elastic_stack_version is version('6', '<')
|
when: elastic_stack_version is version('6', '<')
|
||||||
|
|
||||||
- name: check if ES_TMPDIR is available (>= 6.x)
|
- name: check if ES_TMPDIR is available (>= 6.x)
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/default/elasticsearch
|
dest: /etc/default/elasticsearch
|
||||||
line: "ES_TMPDIR={{ _elasticsearch_custom_tmpdir }}"
|
line: "ES_TMPDIR={{ _elasticsearch_custom_tmpdir }}"
|
||||||
regexp: "^ES_TMPDIR="
|
regexp: "^ES_TMPDIR="
|
||||||
|
@ -53,7 +54,7 @@
|
||||||
|
|
||||||
# Note : Should not do any changes as -Djava.io.tmpdir=${ES_TMPDIR} is already here in the default config.
|
# Note : Should not do any changes as -Djava.io.tmpdir=${ES_TMPDIR} is already here in the default config.
|
||||||
- name: change JVM tmpdir (>= 6.x)
|
- name: change JVM tmpdir (>= 6.x)
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/elasticsearch/jvm.options
|
dest: /etc/elasticsearch/jvm.options
|
||||||
line: "-Djava.io.tmpdir=${ES_TMPDIR}"
|
line: "-Djava.io.tmpdir=${ES_TMPDIR}"
|
||||||
regexp: "^-Djava.io.tmpdir="
|
regexp: "^-Djava.io.tmpdir="
|
||||||
|
|
8
elasticsearch/templates/elastic.sources.j2
Normal file
8
elasticsearch/templates/elastic.sources.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
Types: deb
|
||||||
|
URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt
|
||||||
|
Suites: stable
|
||||||
|
Components: main
|
||||||
|
Signed-by: {{ apt_keyring_dir }}/elastic.asc
|
||||||
|
Enabled: yes
|
|
@ -1,7 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "Execute ansible-commit"
|
- name: "Execute ansible-commit"
|
||||||
command: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\""
|
ansible.builtin.command:
|
||||||
|
cmd: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\""
|
||||||
changed_when:
|
changed_when:
|
||||||
- _ansible_commit.stdout
|
- _ansible_commit.stdout
|
||||||
- "'CHANGED:' in _ansible_commit.stdout"
|
- "'CHANGED:' in _ansible_commit.stdout"
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
- name: "Assert that we have been called with `container` defined"
|
- name: "Assert that we have been called with `container` defined"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- container is defined
|
- container is defined
|
||||||
|
|
||||||
- name: "Define path to /etc in {{ container }} container"
|
- name: "Define path to /etc in {{ container }} container"
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
container_etc: "{{ ('/var/lib/lxc', container, 'rootfs/etc') | path_join }}"
|
container_etc: "{{ ('/var/lib/lxc', container, 'rootfs/etc') | path_join }}"
|
||||||
|
|
||||||
- name: "Check if /etc is a git repository in {{ container }}"
|
- name: "Check if /etc is a git repository in {{ container }}"
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: "{{ (container_etc, '.git') | path_join }}"
|
path: "{{ (container_etc, '.git') | path_join }}"
|
||||||
get_attributes: no
|
get_attributes: no
|
||||||
get_checksum: no
|
get_checksum: no
|
||||||
|
@ -17,7 +17,7 @@
|
||||||
register: "container_etc_git"
|
register: "container_etc_git"
|
||||||
|
|
||||||
- name: "Evocommit /etc of {{ container }}"
|
- name: "Evocommit /etc of {{ container }}"
|
||||||
command:
|
ansible.builtin.command:
|
||||||
argv:
|
argv:
|
||||||
- /usr/local/bin/evocommit
|
- /usr/local/bin/evocommit
|
||||||
- '--ansible'
|
- '--ansible'
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Git is installed (Debian)
|
- name: Git is installed (Debian)
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: git
|
name: git
|
||||||
state: present
|
state: present
|
||||||
tags:
|
tags:
|
||||||
|
@ -10,12 +10,12 @@
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
|
|
||||||
- name: Install and configure utilities
|
- name: Install and configure utilities
|
||||||
include: utils.yml
|
ansible.builtin.include: utils.yml
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: Configure repositories
|
- name: Configure repositories
|
||||||
include: repositories.yml
|
ansible.builtin.include: repositories.yml
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
||||||
when: etc_git_config_repositories | bool
|
when: etc_git_config_repositories | bool
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: repository.yml
|
- ansible.builtin.include: repository.yml
|
||||||
vars:
|
vars:
|
||||||
repository_path: "/etc"
|
repository_path: "/etc"
|
||||||
gitignore_items:
|
gitignore_items:
|
||||||
|
@ -15,18 +15,18 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: verify /usr/share/scripts presence
|
- name: verify /usr/share/scripts presence
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /usr/share/scripts
|
path: /usr/share/scripts
|
||||||
register: _usr_share_scripts
|
register: _usr_share_scripts
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when:
|
when:
|
||||||
- _usr_share_scripts.stat.isdir
|
- _usr_share_scripts.stat.isdir
|
||||||
|
|
||||||
- include: repository.yml
|
- ansible.builtin.include: repository.yml
|
||||||
vars:
|
vars:
|
||||||
repository_path: "/usr/share/scripts"
|
repository_path: "/usr/share/scripts"
|
||||||
gitignore_items: []
|
gitignore_items: []
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: repository_path is search("/usr")
|
when: repository_path is search("/usr")
|
||||||
|
|
||||||
- name: "{{ repository_path }} is versioned with git"
|
- name: "{{ repository_path }} is versioned with git"
|
||||||
command: "git init ."
|
ansible.builtin.command:
|
||||||
|
cmd: "git init ."
|
||||||
args:
|
args:
|
||||||
chdir: "{{ repository_path }}"
|
chdir: "{{ repository_path }}"
|
||||||
creates: "{{ repository_path }}/.git/"
|
creates: "{{ repository_path }}/.git/"
|
||||||
|
@ -14,7 +15,7 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: Git user.email is configured
|
- name: Git user.email is configured
|
||||||
git_config:
|
community.general.git_config:
|
||||||
name: user.email
|
name: user.email
|
||||||
repo: "{{ repository_path }}"
|
repo: "{{ repository_path }}"
|
||||||
scope: local
|
scope: local
|
||||||
|
@ -23,7 +24,7 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: "{{ repository_path }}/.git is restricted to root"
|
- name: "{{ repository_path }}/.git is restricted to root"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ repository_path }}/.git"
|
path: "{{ repository_path }}/.git"
|
||||||
owner: root
|
owner: root
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
|
@ -32,7 +33,7 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: "{{ repository_path }}/.gitignore is present"
|
- name: "{{ repository_path }}/.gitignore is present"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: gitignore
|
src: gitignore
|
||||||
dest: "{{ repository_path }}/.gitignore"
|
dest: "{{ repository_path }}/.gitignore"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -42,7 +43,7 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: "Some entries MUST be in the {{ repository_path }}/.gitignore file"
|
- name: "Some entries MUST be in the {{ repository_path }}/.gitignore file"
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: "{{ repository_path }}/.gitignore"
|
dest: "{{ repository_path }}/.gitignore"
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
loop: "{{ gitignore_items | default([]) }}"
|
loop: "{{ gitignore_items | default([]) }}"
|
||||||
|
@ -50,7 +51,8 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: "does {{ repository_path }}/ have any commit?"
|
- name: "does {{ repository_path }}/ have any commit?"
|
||||||
command: "git log"
|
ansible.builtin.command:
|
||||||
|
cmd: "git log"
|
||||||
args:
|
args:
|
||||||
chdir: "{{ repository_path }}"
|
chdir: "{{ repository_path }}"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
@ -61,7 +63,8 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: initial commit is present?
|
- name: initial commit is present?
|
||||||
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
|
ansible.builtin.shell:
|
||||||
|
cmd: "git add -A . && git commit -m \"Initial commit via Ansible\""
|
||||||
args:
|
args:
|
||||||
chdir: "{{ repository_path }}"
|
chdir: "{{ repository_path }}"
|
||||||
register: git_commit
|
register: git_commit
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: "evocommit script is installed"
|
- name: "evocommit script is installed"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: evocommit
|
src: evocommit
|
||||||
dest: /usr/local/bin/evocommit
|
dest: /usr/local/bin/evocommit
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
@ -15,7 +15,7 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: "ansible-commit script is installed"
|
- name: "ansible-commit script is installed"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: ansible-commit
|
src: ansible-commit
|
||||||
dest: /usr/local/bin/ansible-commit
|
dest: /usr/local/bin/ansible-commit
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
@ -24,7 +24,7 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: "etc-git-optimize script is installed"
|
- name: "etc-git-optimize script is installed"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: etc-git-optimize
|
src: etc-git-optimize
|
||||||
dest: /usr/share/scripts/etc-git-optimize
|
dest: /usr/share/scripts/etc-git-optimize
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
@ -33,7 +33,7 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: "etc-git-status script is installed"
|
- name: "etc-git-status script is installed"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: etc-git-status
|
src: etc-git-status
|
||||||
dest: /usr/share/scripts/etc-git-status
|
dest: /usr/share/scripts/etc-git-status
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
@ -42,8 +42,8 @@
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: Check if cron is installed
|
- name: Check if cron is installed
|
||||||
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
ansible.builtin.shell:
|
||||||
args:
|
cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
@ -52,7 +52,7 @@
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Legacy cron jobs for /etc/.git status are absent
|
- name: Legacy cron jobs for /etc/.git status are absent
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: "{{ item }}"
|
dest: "{{ item }}"
|
||||||
state: absent
|
state: absent
|
||||||
loop:
|
loop:
|
||||||
|
@ -60,7 +60,7 @@
|
||||||
- /etc/cron.d/etc-git-status
|
- /etc/cron.d/etc-git-status
|
||||||
|
|
||||||
- name: Cron job for monthly git optimization
|
- name: Cron job for monthly git optimization
|
||||||
cron:
|
ansible.builtin.cron:
|
||||||
name: "Monthly optimization"
|
name: "Monthly optimization"
|
||||||
cron_file: etc-git
|
cron_file: etc-git
|
||||||
special_time: "monthly"
|
special_time: "monthly"
|
||||||
|
@ -68,7 +68,7 @@
|
||||||
job: "/usr/share/scripts/etc-git-optimize"
|
job: "/usr/share/scripts/etc-git-optimize"
|
||||||
|
|
||||||
- name: Cron job for hourly git status
|
- name: Cron job for hourly git status
|
||||||
cron:
|
ansible.builtin.cron:
|
||||||
name: "Hourly warning for unclean Git repository if nobody is connected"
|
name: "Hourly warning for unclean Git repository if nobody is connected"
|
||||||
cron_file: etc-git
|
cron_file: etc-git
|
||||||
special_time: "hourly"
|
special_time: "hourly"
|
||||||
|
@ -77,7 +77,7 @@
|
||||||
state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
|
state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
|
||||||
|
|
||||||
- name: Cron job for daily git status
|
- name: Cron job for daily git status
|
||||||
cron:
|
ansible.builtin.cron:
|
||||||
name: "Daily warning for unclean Git repository"
|
name: "Daily warning for unclean Git repository"
|
||||||
cron_file: etc-git
|
cron_file: etc-git
|
||||||
user: root
|
user: root
|
||||||
|
|
|
@ -1,25 +1,27 @@
|
||||||
- name: newaliases
|
- name: newaliases
|
||||||
command: newaliases
|
ansible.builtin.command:
|
||||||
|
cmd: newaliases
|
||||||
|
|
||||||
- name: Test Apache conf
|
- name: Test Apache conf
|
||||||
command: apache2ctl -t
|
ansible.builtin.command:
|
||||||
|
cmd: apache2ctl -t
|
||||||
notify: "Reload Apache conf"
|
notify: "Reload Apache conf"
|
||||||
|
|
||||||
- name: reload apache2
|
- name: reload apache2
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: apache2
|
name: apache2
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: apt update
|
- name: apt update
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: reload squid3
|
- name: reload squid3
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: squid3
|
name: squid3
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: reload squid
|
- name: reload squid
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: squid
|
name: squid
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
|
@ -1,27 +1,29 @@
|
||||||
---
|
---
|
||||||
- name: Do no install certbot crontab
|
- name: Do no install certbot crontab
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
certbot_custom_crontab: False
|
certbot_custom_crontab: False
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/certbot
|
name: evolix/certbot
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
|
|
||||||
- name: Disable /etc/cron.d/certbot
|
- name: Disable /etc/cron.d/certbot
|
||||||
command: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled
|
ansible.builtin.command:
|
||||||
|
cmd: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled
|
||||||
args:
|
args:
|
||||||
removes: /etc/cron.d/certbot
|
removes: /etc/cron.d/certbot
|
||||||
|
|
||||||
- name: Disable /etc/cron.daily/certbot
|
- name: Disable /etc/cron.daily/certbot
|
||||||
command: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
|
ansible.builtin.command:
|
||||||
|
cmd: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
|
||||||
args:
|
args:
|
||||||
removes: /etc/cron.daily/certbot
|
removes: /etc/cron.daily/certbot
|
||||||
|
|
||||||
- name: Install evoacme custom cron
|
- name: Install evoacme custom cron
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: evoacme.cron
|
src: evoacme.cron
|
||||||
dest: /etc/cron.daily/evoacme
|
dest: /etc/cron.daily/evoacme
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- ini_file:
|
- community.general.ini_file:
|
||||||
dest: "{{ evoacme_crt_dir }}/openssl.cnf"
|
dest: "{{ evoacme_crt_dir }}/openssl.cnf"
|
||||||
section: 'req'
|
section: 'req'
|
||||||
option: "{{ item.name }}"
|
option: "{{ item.name }}"
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
- { name: 'prompt', var: 'no' }
|
- { name: 'prompt', var: 'no' }
|
||||||
|
|
||||||
- name: Update openssl conf
|
- name: Update openssl conf
|
||||||
ini_file:
|
community.general.ini_file:
|
||||||
dest: "{{ evoacme_crt_dir }}/openssl.cnf"
|
dest: "{{ evoacme_crt_dir }}/openssl.cnf"
|
||||||
section: 'req_dn'
|
section: 'req_dn'
|
||||||
option: "{{ item.name }}"
|
option: "{{ item.name }}"
|
||||||
|
@ -25,7 +25,7 @@
|
||||||
- { name: 'emailAddress', var: "{{ evoacme_ssl_email }}" }
|
- { name: 'emailAddress', var: "{{ evoacme_ssl_email }}" }
|
||||||
|
|
||||||
- name: Copy new evoacme conf
|
- name: Copy new evoacme conf
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: templates/evoacme.conf.j2
|
src: templates/evoacme.conf.j2
|
||||||
dest: /etc/default/evoacme
|
dest: /etc/default/evoacme
|
||||||
owner: root
|
owner: root
|
||||||
|
|
|
@ -1,18 +1,19 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "Create {{ hook_name }} hook directory"
|
- name: "Create {{ hook_name }} hook directory"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
dest: "{{ evoacme_hooks_dir }}"
|
dest: "{{ evoacme_hooks_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: "Search for {{ hook_name }} hook"
|
- name: "Search for {{ hook_name }} hook"
|
||||||
command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)"
|
ansible.builtin.command:
|
||||||
|
cmd: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: False
|
changed_when: False
|
||||||
register: _find_hook
|
register: _find_hook
|
||||||
|
|
||||||
- name: "Copy {{ hook_name }} hook if missing"
|
- name: "Copy {{ hook_name }} hook if missing"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "hooks/{{ hook_name }}"
|
src: "hooks/{{ hook_name }}"
|
||||||
dest: "{{ evoacme_hooks_dir }}/{{ hook_name }}"
|
dest: "{{ evoacme_hooks_dir }}/{{ hook_name }}"
|
||||||
mode: "0750"
|
mode: "0750"
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Verify Debian version
|
- name: Verify Debian version
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('9', '>=')
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
msg: only compatible with Debian >= 9
|
msg: only compatible with Debian >= 9
|
||||||
when: not (evoacme_disable_debian_check | bool)
|
when: not (evoacme_disable_debian_check | bool)
|
||||||
|
|
||||||
- include: certbot.yml
|
- ansible.builtin.include: certbot.yml
|
||||||
|
|
||||||
- include: permissions.yml
|
- ansible.builtin.include: permissions.yml
|
||||||
|
|
||||||
# Enable this task if you want to deploy hooks
|
# Enable this task if you want to deploy hooks
|
||||||
# - include: evoacme_hook.yml
|
# - include: evoacme_hook.yml
|
||||||
|
@ -18,6 +18,6 @@
|
||||||
# hook_name: "{{ item }}"
|
# hook_name: "{{ item }}"
|
||||||
# loop: []
|
# loop: []
|
||||||
|
|
||||||
- include: conf.yml
|
- ansible.builtin.include: conf.yml
|
||||||
|
|
||||||
- include: scripts.yml
|
- ansible.builtin.include: scripts.yml
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Fix crt directory permissions
|
- name: Fix crt directory permissions
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ evoacme_crt_dir }}"
|
path: "{{ evoacme_crt_dir }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -9,7 +9,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: "Fix hooks directory permissions"
|
- name: "Fix hooks directory permissions"
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ evoacme_hooks_dir }}"
|
path: "{{ evoacme_hooks_dir }}"
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -17,7 +17,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Fix log directory permissions
|
- name: Fix log directory permissions
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ evoacme_log_dir }}"
|
path: "{{ evoacme_log_dir }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -25,7 +25,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Fix challenge directory permissions
|
- name: Fix challenge directory permissions
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ evoacme_acme_dir }}"
|
path: "{{ evoacme_acme_dir }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: root
|
owner: root
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include_role:
|
- ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: Create CSR dir
|
- name: Create CSR dir
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ evoacme_csr_dir }}"
|
path: "{{ evoacme_csr_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -12,7 +12,7 @@
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
- name: Copy make-csr.sh script
|
- name: Copy make-csr.sh script
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: make-csr.sh
|
src: make-csr.sh
|
||||||
dest: /usr/local/sbin/make-csr
|
dest: /usr/local/sbin/make-csr
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
- name: Copy vhost-domains.sh script
|
- name: Copy vhost-domains.sh script
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: vhost-domains.sh
|
src: vhost-domains.sh
|
||||||
dest: /usr/local/sbin/vhost-domains
|
dest: /usr/local/sbin/vhost-domains
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -28,7 +28,7 @@
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
- name: Copy evoacme script
|
- name: Copy evoacme script
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: evoacme.sh
|
src: evoacme.sh
|
||||||
dest: /usr/local/sbin/evoacme
|
dest: /usr/local/sbin/evoacme
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -36,7 +36,7 @@
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
- name: Delete scripts in old location
|
- name: Delete scripts in old location
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "/usr/local/bin/{{ item }}"
|
path: "/usr/local/bin/{{ item }}"
|
||||||
state: absent
|
state: absent
|
||||||
loop:
|
loop:
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
### File generated by Ansible ###
|
### File generated by Ansible ###
|
||||||
|
|
||||||
SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }} }
|
SSL_KEY_DIR=${SSL_KEY_DIR:-"{{ evoacme_ssl_key_dir }}"}
|
||||||
ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }} }
|
ACME_DIR=${ACME_DIR:-"{{ evoacme_acme_dir }}"}
|
||||||
CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }} }
|
CSR_DIR=${CSR_DIR:-"{{ evoacme_csr_dir }}"}
|
||||||
CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }} }
|
CRT_DIR=${CRT_DIR:-"{{ evoacme_crt_dir }}"}
|
||||||
HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"}
|
HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"}
|
||||||
LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }} }
|
LOG_DIR=${LOG_DIR:-"{{ evoacme_log_dir }}"}
|
||||||
SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }} }
|
SSL_MINDAY=${SSL_MINDAY:-"{{ evoacme_ssl_minday }}"}
|
||||||
|
|
|
@ -1,17 +1,20 @@
|
||||||
---
|
---
|
||||||
- name: restart minifirewall
|
- name: restart minifirewall
|
||||||
command: /etc/init.d/minifirewall restart
|
ansible.builtin.command:
|
||||||
|
cmd: /etc/init.d/minifirewall restart
|
||||||
register: minifirewall_init_restart
|
register: minifirewall_init_restart
|
||||||
failed_when:
|
failed_when:
|
||||||
- "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
- "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
||||||
- "'minifirewall started' not in minifirewall_init_restart.stdout"
|
- "'minifirewall started' not in minifirewall_init_restart.stdout"
|
||||||
|
|
||||||
- name: 'created new jail'
|
- name: 'created new jail'
|
||||||
command: "bkctld restart {{ evolinux_hostname }}"
|
ansible.builtin.command:
|
||||||
|
cmd: "bkctld restart {{ evolinux_hostname }}"
|
||||||
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
||||||
|
|
||||||
- name: 'jail updated'
|
- name: 'jail updated'
|
||||||
command: "bkctld restart {{ evolinux_hostname }}"
|
ansible.builtin.command:
|
||||||
|
cmd: "bkctld restart {{ evolinux_hostname }}"
|
||||||
# - "bkctld sync {{ evolinux_hostname }}"
|
# - "bkctld sync {{ evolinux_hostname }}"
|
||||||
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
||||||
when: evobackup_client__hosts | length > 1
|
when: evobackup_client__hosts | length > 1
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: 'create jail'
|
- name: 'create jail'
|
||||||
command: "bkctld init {{ evolinux_hostname }}"
|
ansible.builtin.command:
|
||||||
|
cmd: "bkctld init {{ evolinux_hostname }}"
|
||||||
args:
|
args:
|
||||||
creates: "/backup/jails/{{ evolinux_hostname }}/"
|
creates: "/backup/jails/{{ evolinux_hostname }}/"
|
||||||
become: true
|
become: true
|
||||||
|
@ -15,7 +16,8 @@
|
||||||
# temp fix for bkctld 2.x because the ip and key command return 1
|
# temp fix for bkctld 2.x because the ip and key command return 1
|
||||||
# if the jail is not started, see https://gitea.evolix.org/evolix/evobackup/issues/31
|
# if the jail is not started, see https://gitea.evolix.org/evolix/evobackup/issues/31
|
||||||
- name: 'start jail'
|
- name: 'start jail'
|
||||||
command: "bkctld restart {{ evolinux_hostname }}"
|
ansible.builtin.command:
|
||||||
|
cmd: "bkctld restart {{ evolinux_hostname }}"
|
||||||
become: true
|
become: true
|
||||||
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
||||||
tags:
|
tags:
|
||||||
|
@ -23,7 +25,8 @@
|
||||||
- evobackup_client_jail
|
- evobackup_client_jail
|
||||||
|
|
||||||
- name: 'add ip to jail'
|
- name: 'add ip to jail'
|
||||||
command: "bkctld ip {{ evolinux_hostname }} {{ ansible_host }}"
|
ansible.builtin.command:
|
||||||
|
cmd: "bkctld ip {{ evolinux_hostname }} {{ ansible_host }}"
|
||||||
become: true
|
become: true
|
||||||
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
||||||
notify: 'jail updated'
|
notify: 'jail updated'
|
||||||
|
@ -32,7 +35,8 @@
|
||||||
- evobackup_client_jail
|
- evobackup_client_jail
|
||||||
|
|
||||||
- name: 'add key to jail'
|
- name: 'add key to jail'
|
||||||
command: "bkctld key {{ evolinux_hostname }} /root/{{ evolinux_hostname }}.pub"
|
ansible.builtin.command:
|
||||||
|
cmd: "bkctld key {{ evolinux_hostname }} /root/{{ evolinux_hostname }}.pub"
|
||||||
become: true
|
become: true
|
||||||
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
||||||
notify: 'jail updated'
|
notify: 'jail updated'
|
||||||
|
@ -41,7 +45,8 @@
|
||||||
- evobackup_client_jail
|
- evobackup_client_jail
|
||||||
|
|
||||||
- name: 'get jail port'
|
- name: 'get jail port'
|
||||||
command: "bkctld port {{ evolinux_hostname }}"
|
ansible.builtin.command:
|
||||||
|
cmd: "bkctld port {{ evolinux_hostname }}"
|
||||||
become: true
|
become: true
|
||||||
register: bkctld_port
|
register: bkctld_port
|
||||||
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
delegate_to: "{{ evobackup_client__hosts[0].ip }}"
|
||||||
|
@ -50,7 +55,7 @@
|
||||||
- evobackup_client_jail
|
- evobackup_client_jail
|
||||||
|
|
||||||
- name: 'register jail port'
|
- name: 'register jail port'
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
evobackup_ssh_port={{ bkctld_port.stdout }}
|
evobackup_ssh_port={{ bkctld_port.stdout }}
|
||||||
tags:
|
tags:
|
||||||
- evobackup_client
|
- evobackup_client
|
||||||
|
|
|
@ -1,26 +1,26 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: "ssh_key.yml"
|
- ansible.builtin.include: "ssh_key.yml"
|
||||||
tags:
|
tags:
|
||||||
- evobackup_client
|
- evobackup_client
|
||||||
- evobackup_client_backup_ssh_key
|
- evobackup_client_backup_ssh_key
|
||||||
|
|
||||||
- include: "jail.yml"
|
- ansible.builtin.include: "jail.yml"
|
||||||
tags:
|
tags:
|
||||||
- evobackup_client
|
- evobackup_client
|
||||||
- evobackup_client_jail
|
- evobackup_client_jail
|
||||||
|
|
||||||
- include: "upload_scripts.yml"
|
- ansible.builtin.include: "upload_scripts.yml"
|
||||||
tags:
|
tags:
|
||||||
- evobackup_client
|
- evobackup_client
|
||||||
- evobackup_client_backup_scripts
|
- evobackup_client_backup_scripts
|
||||||
|
|
||||||
- include: "open_ssh_ports.yml"
|
- ansible.builtin.include: "open_ssh_ports.yml"
|
||||||
tags:
|
tags:
|
||||||
- evobackup_client
|
- evobackup_client
|
||||||
- evobackup_client_backup_firewall
|
- evobackup_client_backup_firewall
|
||||||
|
|
||||||
- include: "verify_ssh.yml"
|
- ansible.builtin.include: "verify_ssh.yml"
|
||||||
tags:
|
tags:
|
||||||
- evobackup_client
|
- evobackup_client
|
||||||
- evobackup_client_backup_hosts
|
- evobackup_client_backup_hosts
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Is there a Minifirewall ?
|
- name: Is there a Minifirewall ?
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /etc/default/minifirewall
|
path: /etc/default/minifirewall
|
||||||
register: evobackup_client__minifirewall
|
register: evobackup_client__minifirewall
|
||||||
tags:
|
tags:
|
||||||
|
@ -9,7 +9,7 @@
|
||||||
- evobackup_client_backup_firewall
|
- evobackup_client_backup_firewall
|
||||||
|
|
||||||
- name: Add backup SSH port in /etc/default/minifirewall
|
- name: Add backup SSH port in /etc/default/minifirewall
|
||||||
blockinfile:
|
ansible.builtin.blockinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: /etc/default/minifirewall
|
||||||
marker: "# {mark} {{ item.name }}"
|
marker: "# {mark} {{ item.name }}"
|
||||||
block: |
|
block: |
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Create SSH key
|
- name: Create SSH key
|
||||||
user:
|
ansible.builtin.user:
|
||||||
name: root
|
name: root
|
||||||
generate_ssh_key: true
|
generate_ssh_key: true
|
||||||
ssh_key_file: "{{ evobackup_client__root_key_path }}"
|
ssh_key_file: "{{ evobackup_client__root_key_path }}"
|
||||||
|
@ -12,7 +12,7 @@
|
||||||
- evobackup_client_backup_ssh_key
|
- evobackup_client_backup_ssh_key
|
||||||
|
|
||||||
- name: Print SSH key
|
- name: Print SSH key
|
||||||
debug:
|
ansible.builtin.debug:
|
||||||
var: evobackup_client__root_key.ssh_public_key
|
var: evobackup_client__root_key.ssh_public_key
|
||||||
when: evobackup_client__root_key.ssh_public_key is defined
|
when: evobackup_client__root_key.ssh_public_key is defined
|
||||||
tags:
|
tags:
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
- evobackup_client_backup_ssh_key
|
- evobackup_client_backup_ssh_key
|
||||||
|
|
||||||
- name: 'copy ssh public key to backup server'
|
- name: 'copy ssh public key to backup server'
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ evobackup_client__root_key.ssh_public_key }}"
|
content: "{{ evobackup_client__root_key.ssh_public_key }}"
|
||||||
dest: "/root/{{ evolinux_hostname }}.pub"
|
dest: "/root/{{ evolinux_hostname }}.pub"
|
||||||
become: true
|
become: true
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Upload evobackup script
|
- name: Upload evobackup script
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: "{{ evobackup_client__cron_path }}"
|
dest: "{{ evobackup_client__cron_path }}"
|
||||||
force: true
|
force: true
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Verify evolix backup servers
|
- name: Verify evolix backup servers
|
||||||
known_hosts:
|
ansible.builtin.known_hosts:
|
||||||
path: /root/.ssh/known_hosts
|
path: /root/.ssh/known_hosts
|
||||||
name: "[{{ item.name }}]:{{ item.port }}"
|
name: "[{{ item.name }}]:{{ item.port }}"
|
||||||
key: "[{{ item.name }}]:{{ item.port }} {{ item.fingerprint }}"
|
key: "[{{ item.name }}]:{{ item.port }} {{ item.fingerprint }}"
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
# Script to verify compliance of a Linux (Debian) server
|
# Script to verify compliance of a Linux (Debian) server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
VERSION="23.03.01"
|
VERSION="23.04.01"
|
||||||
readonly VERSION
|
readonly VERSION
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue