Squash: conventions, evolinux, etc-git…

CONVENTIONS.md

@@ -0,0 +1,158 @@
+# Conventions
+
+## Roles
+
+We can use the `ansible-galaxy init` command to bootstrap a new role :
+
+    $ ansible-galaxy init foo
+    - foo was created successfully
+    $ tree foo
+    foo
+    ├── defaults
+    │   └── main.yml
+    ├── files
+    ├── handlers
+    │   └── main.yml
+    ├── meta
+    │   └── main.yml
+    ├── README.md
+    ├── tasks
+    │   └── main.yml
+    ├── templates
+    ├── tests
+    │   ├── inventory
+    │   └── test.yml
+    └── vars
+        └── main.yml
+
+All `main.yml` file will be picked up by Ansible automatically, with respect to their own responsibility.
+
+The main directory is `tasks`. It will contains tasks, either all in the `main.yml` file, or grouped in files that can be included in the main file.
+
+`defaults/main.yml` is the place to put the list of all variables for the role with a default value.
+
+`vars` will hold files with variables definitions. Those differ from the defaults because of a much higher precedence (see below).
+
+`files` is the directory where we'll put files to copy on hosts. They will be copied "as-is". When a role has multiple logical groups of tasks, it's best to create a sub-directroy for each group that needs files. The name of files in these directories doesn't have to be the same as the destination name. Example :
+
+    copy:
+      src: apt/jessie_backports_preferences
+      dest: /etc/apt/apt.conf.d/backports
+
+`templates` is the twin brother of `files`, but differs in that it contains files that can be pre-processed by the Jinja2 templating language. It can contain variables that will be extrapolated before copying the file to its destination.
+
+`handlers` is the place to put special tasks that can be triggered by the `notify` argument of modules. For example an `nginx -s reload` command.
+
+`meta/main.yml` contains … well … "meta" information. There we can define role dependencies, but also some "galaxy" information like the desired Ansible version, supported OS and distributions, a destription, author/ownership, license…
+
+`tests` and `.travis.yml` are here to help testing with a test matrix, a test inventory and a test playbook.
+
+We can delete parts we don't need.
+
+### How much goes into a role
+
+We create roles (instead of a plain tasks files) when it makes sense as a whole, and it is more that a series of tasks. It often has variables, files/templates, handlers…
+
+## Syntax
+
+### Pure YAML
+
+It's possible to use a compact (Ansible specific) syntax,
+
+    - name: Add evomaintenance trap for '{{ user.name }}'
+      lineinfile: state=present dest='/home/{{ user.name }}/.profile' insertafter=EOF line='trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
+      when: evomaintenance_script.stat.exists
+
+but we prefer the pure-YAML syntax
+
+    - name: Add evomaintenance trap for '{{ user.name }}'
+      lineinfile:
+        state: present
+        dest: '/home/{{ user.name }}/.profile'
+        insertafter: EOF
+        line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
+      when: evomaintenance_script.stat.exists
+
+Here are some reasons :
+
+* when lines get long, it's easier to read ;
+* it's a pure YAML syntax, so there is no Ansible-specific preprocessing
+* … with means that IDE can show the proper syntax highligthing ;
+* each argument stands on its own.
+
+## Variables
+
+### defaults
+
+When a role is using variables, they must be defined (for example in the `defaults/main.yml`) with a default value (possibly Ǹull). That way, there will never be an "foo is undefined" situation.
+
+### progressive specificity
+
+In many roles, we use a *progressive specificity* pattern for some variables.
+The most common is for "alert_email" ; we want to have a default email address where all alerts or message will be sent, but it can be customized globally, and also customized per task/role.
+
+For the *evolinux-base* role we have those defaults :
+
+    general_alert_email: "root@localhost"
+    reboot_alert_email: Null
+    log2mail_alert_email: Null
+    raid_alert_email: Null
+
+In the *log2mail* template, we set the email address like this :
+
+    mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
+
+if nothing is customize, the mail will be sent to root@localhost, if geeral_alert_email is changed, it will be use, but if log2mail_alert_email is set to a non-null value, it will have precedence.
+
+## precedence
+
+There are multiple places where we can define variables ans there is a specific precedence order for the resolution. Here is [the (ascending) order](http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) :
+
+* role defaults
+* inventory vars
+* inventory group_vars
+* inventory host_vars
+* playbook group_vars
+* playbook host_vars
+* host facts
+* play vars
+* play vars_prompt
+* play vars_files
+* registered vars
+* set_facts
+* role and include vars
+* block vars (only for tasks in block)
+* task vars (only for the task)
+* extra vars (always win precedence)
+
+## Configuration patterns
+
+### lineinfile vs. blockinfile vs. copy/template
+
+When possible, we prefer using the [lineinfile](http://docs.ansible.com/ansible/lineinfile_module.html) module to make very specific changes.
+If a `regexp` argument is specified, every line that matches the pattern will be updated. It's a good way to comment/uncomment variable, of add a piece inside a line.
+
+When it's not possible (multi-line changes, for example), we can use the [blockinfile](http://docs.ansible.com/ansible/blockinfile_module.html) module. It managed blocs of text with begin/end markers. The marker can be customized, mostly to use the proper comment syntax, but also to prevent collisions within a file.
+
+If none of the previous ca be used, we can use [copy](http://docs.ansible.com/ansible/copy_module.html) or [template](http://docs.ansible.com/ansible/template_module.html) modules to copy an entire file.
+
+### defaults and custom files
+
+We try not to alter configuration files managed by packages. It makes upgrading easier, so when a piece of software has a "foo.d" configuration directory, we add custom files there.
+
+We usually put a `z-evolinux-defaults` with our core configuration. This file can be changed later via Ansible and must not be edited by hand. Example :
+
+    copy:
+      src: evolinux-defaults.cnf
+      dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf
+      force: yes
+
+
+We also create a blank `zzz-evolinux-custom` file, with commented examples, to allow custom configuration that will never be reverted by Ansible. Example :
+
+    copy:
+      src: evolinux-custom.cnf
+      dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf
+      force: no
+
+The source file or template shouldn't to be prefixed for ordering (eg. `z-` or `zzz-`). It's the task's responsibility to choose how destination files must be ordered.

Vagrantfile

@@ -9,7 +9,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.synced_folder "./vagrant_share/", "/vagrant", disabled: true
 
   config.vm.provider :virtualbox do |v|
-    v.memory = 1024
+    v.memory = 2048
     v.cpus = 2
     v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
     v.customize ["modifyvm", :id, "--ioapic", "on"]

apache/README.md

@@ -6,6 +6,13 @@ Install Apache
 
 Everything is in the `tasks/main.yml` file for now.
 
-## Variables
+## Available variables
 
-To add IP to apache whitelist, define apache_ipaddr_whitelist variable as list.
+Main variables are :
+
+* `apache_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
+* `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
+* `apache_private_htpasswd_present` : list of users to have in the private htpasswd ;
+* `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.

apache/defaults/main.yml

@@ -1 +1,6 @@
-apache_ipaddr_whitelist: []
+---
+apache_private_ipaddr_whitelist_present: []
+apache_private_ipaddr_whitelist_absent: []
+
+apache_private_htpasswd_present: []
+apache_private_htpasswd_absent: []

apache/files/private_htpasswd

@@ -0,0 +1 @@
+# user:password for HTTP Basic authentication

apache/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: Ensure packages are installed
+- name: packages are installed
   apt:
     name: '{{ item }}'
     state: present
@@ -7,8 +7,10 @@
     - apachetop
     - libapache2-mod-evasive
     - libwww-perl
+  tags:
+    - apache
 
-- name: Ensure basic modules are enabled
+- name: basic modules are enabled
   apache2_module:
     name: '{{ item }}'
     state: present
@@ -18,48 +20,120 @@
     - headers
     - rewrite
     - cgi
+  tags:
+    - apache
 
-- name: Copy Apache config files
+- name: Copy Apache defaults config file
   copy:
-    src: "{{ item.file }}"
-    dest: "/etc/apache2/conf-available/{{ item.file }}"
+    src: evolinux-defaults.conf
+    dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf
     owner: root
     group: root
-    mode: "{{ item.mode }}"
-  with_items:
-    - { file: z_evolinux.conf, mode: 0644 }
-    - { file: zzz_evolinux.conf, mode: 0640 }
+    mode: 0644
+    force: yes
+  tags:
+    - apache
+
+- name: Copy Apache custom config file
+  template:
+    src: evolinux-custom.conf.j2
+    dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf
+    owner: root
+    group: root
+    mode: 0644
+    force: no
+  tags:
+    - apache
 
-- name: Ensure Apache default config is enabled
-  command: a2enconf z_evolinux.conf zzz_evolinux.conf
+- name: Ensure Apache config files are enabled
+  command: "a2enconf {{ item }}"
   register: command_result
   changed_when: "'Enabling' in command_result.stderr"
+  with_items:
+    - z-evolinux-defaults.conf
+    - zzz-evolinux-custom.conf
+  tags:
+    - apache
 
-- name: Init ipaddr_whitelist.conf file
+- name: Init private_ipaddr_whitelist.conf file
   copy:
-    src: ipaddr_whitelist.conf
-    dest: /etc/apache2/ipaddr_whitelist.conf
+    src: private_ipaddr_whitelist.conf
+    dest: /etc/apache2/private_ipaddr_whitelist.conf
     owner: root
     group: root
     mode: 0640
     force: no
+  tags:
+    - apache
 
-- name: Add IP addresses to private IP whitelist if defined
+- name: add IP addresses to private IP whitelist
   lineinfile:
-    dest: /etc/apache2/ipaddr_whitelist.conf
+    dest: /etc/apache2/private_ipaddr_whitelist.conf
     line: "Allow from {{ item }}"
     state: present
-  with_items: "{{ apache_ipaddr_whitelist }}"
+  with_items: "{{ apache_private_ipaddr_whitelist_present }}"
+  notify: reload apache
+  tags:
+    - apache
+
+- name: remove IP addresses from private IP whitelist
+  lineinfile:
+    dest: /etc/apache2/private_ipaddr_whitelist.conf
+    line: "Allow from {{ item }}"
+    state: absent
+  with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
+  notify: reload apache
+  tags:
+    - apache
+
+- name: Copy private_htpasswd
+  copy:
+    src: private_htpasswd
+    dest: /etc/apache2/private_htpasswd
+    owner: root
+    group: root
+    mode: 0640
+    force: no
+  notify: reload apache
+  tags:
+    - apache
+
+- name: add user:pwd to private htpasswd
+  lineinfile:
+    dest: /etc/apache2/private_htpasswd
+    line: "{{ item }}"
+    state: present
+  with_items: "{{ apache_private_htpasswd_present }}"
+  notify: reload apache
+  tags:
+    - apache
+
+- name: remove user:pwd from private htpasswd
+  lineinfile:
+    dest: /etc/apache2/private_htpasswd
+    line: "{{ item }}"
+    state: absent
+  with_items: "{{ apache_private_htpasswd_absent }}"
+  notify: reload apache
+  tags:
+    - apache
+
+- name: is umask already present?
+  command: "grep -E '^umask ' /etc/apache2/envvars"
+  failed_when: False
+  changed_when: False
+  register: envvar_grep_umask
+  tags:
+    - apache
 
 - name: Add a mark in envvars for umask
   blockinfile:
     dest: /etc/apache2/envvars
+    marker: "## {mark} ANSIBLE MANAGED BLOCK"
     block: |
       ## Set umask for writing by Apache user.
       ## Set rights on files and directories written by Apache
-
-- name : Ensure umask is set in envvars (default is umask 007)
-  lineinfile:
-    dest: /etc/apache2/envvars
-    regexp: "^umask"
-    line: "umask 007"
+      umask 007
+  when: envvar_grep_umask.rc != 0
+  tags:
+    - apache

apt-backports/tasks/main.yml

@@ -1,23 +0,0 @@
----
-- name: Jessie-backports list is available
-  apt_repository:
-    repo: "deb http://mirror.evolix.org/debian jessie-backports main contrib non-free"
-    update_cache: yes
-    state: present
-  tags:
-    - system
-    - packages
-
-- name: Backports have a low priority
-  blockinfile:
-    dest: /etc/apt/preferences.d/backports
-    marker: "// {mark} ANSIBLE MANAGED BLOCK"
-    insertafter: EOF
-    create: yes
-    block: |
-      Package: *
-      Pin: release a=jessie-backports
-      Pin-Priority: 50
-  tags:
-    - system
-    - packages

apt-repositories/defaults/main.yml

@@ -0,0 +1 @@
+apt_repositories_components: "main"

apt-repositories/files/jessie_backports_preferences

@@ -0,0 +1,3 @@
+Package: *
+Pin: release a=jessie-backports
+Pin-Priority: 50

apt-repositories/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Backports sources list is installed
+  template:
+    src: backports.list.j2
+    dest: /etc/apt/sources.list.d/backports.list
+    force: yes
+    backup: yes
+    mode: 0640
+
+- name: Backports configuration
+  copy:
+    src: jessie_backports_preferences
+    dest: /etc/apt/preferences.d/backports
+    force: yes
+    backup: yes
+    mode: 0640

apt-repositories/templates/backports.list.j2

@@ -0,0 +1 @@
+deb http://mirror.evolix.org/debian jessie-backports {{ apt_repositories_components | mandatory }}

apt-upgrade/README.md

@@ -1,13 +0,0 @@
-# apt-upgrade
-
-Upgrades Debian packages
-
-## Tasks
-
-Everything is in the `tasks/main.yml` file.
-
-## Available variables
-
-* `apt_upgrade_mode` : kind of upgrade to do (cf. http://docs.ansible.com/ansible/apt_module.html#options)
-
-Choice of upgrade mode can be set in a variables file (ex. `vars/main.yml`) or when invoking the role (`- { role: apt-upgrade, apt_upgrade_mode: safe }`).

apt-upgrade/tasks/main.yml

@@ -1,8 +0,0 @@
----
-- name: Ensure Debian is up-to-date
-  apt:
-    update_cache: yes
-    upgrade: "{{ apt_upgrade_mode | default('safe') }}"
-  tags:
-    - system
-    - packages

elasticsearch-plugin-head/defaults/main.yml

@@ -1,3 +1,4 @@
+---
 elasticsearch_plugin_head_home: /home/elasticsearch-head
 elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www"
 elasticsearch_plugin_head_owner: "elasticsearch-head"

elasticsearch-plugin-head/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - nodejs

elasticsearch-plugin-head/tasks/main.yml

@@ -1,41 +1,5 @@
 ---
 
-
-- name: APT https transport is enabled
-  apt:
-    name: apt-transport-https
-    state: installed
-  tags:
-    - system
-    - packages
-
-- name: Node GPG key is installed
-  apt_key:
-    url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key
-    state: present
-  tags:
-    - system
-    - packages
-    - npm
-
-- name: Node sources list is available
-  apt_repository:
-    repo: "deb https://deb.nodesource.com/node_6.x jessie main"
-    state: present
-  tags:
-    - system
-    - packages
-    - npm
-
-- name: Node is installed
-  apt:
-    name: nodejs
-    update_cache: yes
-    state: installed
-  tags:
-    - packages
-    - npm
-
 - name: "User {{ elasticsearch_plugin_head_owner }} is present"
   user:
     name: "{{ elasticsearch_plugin_head_owner }}"

elasticsearch/defaults/main.yml

@@ -1,3 +1,4 @@
+---
 elasticsearch_cluster_name: Null
 elasticsearch_node_name: "${HOSTNAME}"
 elasticsearch_network_host: "[_site_, _local_]"

etc-git/README.md

@@ -0,0 +1,7 @@
+# etc-git
+
+Put /etc under Git version control.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.

etc-git/files/gitignore

@@ -0,0 +1 @@
+aliases.db

etc-git/tasks/main.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Git is installed
+  apt:
+    name: git
+    state: present
+
+- name: /etc is versioned with git
+  command: "git init ."
+  args:
+    chdir: /etc
+    creates: /etc/.git/
+  register: git_init
+
+- name: /etc/.gitignore is present
+  copy:
+    src: gitignore
+    dest: /etc/.gitignore
+    owner: root
+    group: root
+    mode: 0600
+
+- name: does /etc/ have any commit?
+  command: "git log"
+  args:
+    chdir: /etc
+  changed_when: False
+  failed_when: False
+  register: git_log
+
+- name: initial commit is present?
+  shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
+  args:
+    chdir: /etc
+  register: git_commit
+  when: git_init.changed or git_log.rc != 0

evocheck/README.md

@@ -0,0 +1,7 @@
+# evocheck
+
+Install a script to verify compliance of a Debian/OpenBSD server
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.

evocheck/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: evolinux-sources-list }

evocheck/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: evocheck is installed
+  command: "apt-get install -yq --allow-unauthenticated evomaintenance"
+  register: installed_evomaintenance
+  changed_when: not (installed_evomaintenance.stdout | search("0 upgraded") and installed_evomaintenance.stdout | search("0 newly installed"))
+
+# TODO make sure that the package is in the right version

evolinux-admin-users/README.md

@@ -0,0 +1,29 @@
+# evolinux-admin-users
+
+Creates admin users accounts, based on a configuration data structure.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+The variable `evolinux_admin_users` must be a "hash" of one or more users :
+
+```
+evolinux_admin_users:
+  - name: foo
+    uid: 1001
+    fullname: 'Mr Foo'
+    password_hash: 'sdfgsdfgsdfgsdfg'
+    ssh_key: 'ssh-rsa AZERTYXYZ'
+  - name: bar
+    uid: 1002
+    fullname: 'Mr Bar'
+    password_hash: 'gsdfgsdfgsdfgsdf'
+    ssh_key: 'ssh-rsa QWERTYUIOP'
+```
+
+* `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`).
+* `listupgrade_scripts_dir`: script directory for listupgrade (default: `general_scripts_dir`).
+* `evomaintenance_scripts_dir`: script directory for evomaintenance (default: `general_scripts_dir`).

evolinux-admin-users/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+evolinux_admin_users: []
+
+general_scripts_dir: "/usr/local/bin"
+evomaintenance_scripts_dir: Null
+listupgrade_scripts_dir: Null

evolinux-admin-users/tasks/adduser_debian.yml

@@ -0,0 +1,95 @@
+---
+
+- name: Test if uid exists for '{{ user.name }}'
+  command: 'getent passwd {{ user.uid }}'
+  register: uidisbusy
+  failed_when: False
+  changed_when: False
+
+- name: Add Unix account with classical uid for '{{ user.name }}'
+  user:
+   state: present
+   uid: '{{ user.uid }}'
+   name: '{{ user.name }}'
+   comment: '{{ user.fullname }}'
+   shell: /bin/bash
+   password: '{{ user.password_hash }}'
+   update_password: on_create
+  when: uidisbusy|failed
+
+- name: Add Unix account with random uid for '{{ user.name }}'
+  user:
+   state: present
+   name: '{{ user.name }}'
+   comment: '{{ user.fullname }}'
+   shell: /bin/bash
+   password: '{{ user.password_hash }}'
+   update_password: on_create
+  when: uidisbusy|success
+
+- name: Fix perms on homedirectory for '{{ user.name }}'
+  file:
+   name: '/home/{{ user.name }}'
+   mode: 0700
+   state: directory
+
+- name: is evomaintenance installed?
+  stat:
+    path: "{{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh"
+  register: evomaintenance_script
+
+- name: Add evomaintenance trap for '{{ user.name }}'
+  lineinfile:
+    state: present
+    dest: '/home/{{ user.name }}/.profile'
+    insertafter: EOF
+    line: 'trap "sudo {{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh" 0'
+  when: evomaintenance_script.stat.exists
+
+- name: Create .ssh directory for '{{ user.name }}'
+  file:
+    dest: '/home/{{ user.name }}/.ssh/'
+    state: directory
+    mode: 0700
+    owner: '{{ user.name }}'
+    group: '{{ user.name }}'
+
+- name: Add user's SSH public key for '{{ user.name }}'
+  lineinfile:
+    dest: '/home/{{ user.name }}/.ssh/authorized_keys'
+    create: yes
+    line: '{{ user.ssh_key }}'
+    owner: '{{ user.name }}'
+    group: '{{ user.name }}'
+
+- name: Modify AllowUsers' sshd directive for '{{ user.name }}'
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$'
+    replace: '\1 {{ user.name }}'
+  notify:
+    - reload sshd
+
+- name: Modify Match User's sshd directive for '{{ user.name }}'
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(Match User ((?!{{ user.name }}).)*)$'
+    replace: '\1,{{ user.name }}'
+  notify:
+    - reload sshd
+
+- name: Evolinux sudoers file is present
+  template:
+    src: sudoers_debian.j2
+    dest: /etc/sudoers.d/evolinux
+    force: false
+    validate: '/usr/sbin/visudo -cf %s'
+  register: copy_sudoers_evolinux
+
+- name: Add user in sudoers file for '{{ user.name }}'
+  replace:
+    dest: /etc/sudoers.d/evolinux
+    regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
+    replace: '\1,{{ user.name }}'
+    validate: '/usr/sbin/visudo -cf %s'
+  when: not copy_sudoers_evolinux.changed

evolinux-admin-users/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- include: adduser_debian.yml user={{ item }}
+  with_items: "{{ evolinux_admin_users }}"
+  when: ansible_distribution == "Debian"
+
+# - include: openbsd.yml
+#   when: ansible_distribution == "OpenBSD"

evolinux-admin-users/templates/sudoers_debian.j2

@@ -0,0 +1,10 @@
+Defaults        umask=0077
+
+Cmnd_Alias      MAINT = {{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh, {{ listupgrade_scripts_dir or general_scripts_dir | mandatory }}/listupgrade.sh, /usr/bin/apt, /bin/mount
+User_Alias      ADMINS = {{ user.name }}
+
+nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
+nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
+
+ADMINS          ALL = (ALL:ALL) ALL
+ADMINS          ALL = NOPASSWD: MAINT

evolinux-base/README.md

@@ -0,0 +1,24 @@
+# evolinux-base
+
+Various tasks for Evolinux setup.
+
+## Tasks
+
+* `system.yml` :
+* `apt.yml` :
+* `install_tools.yml` :
+* `root.yml` :
+* `logs.yml` :
+
+## Available variables
+
+Main variables are :
+
+* `evolinux_delete_nfs`: delete NFS tools (default: `True`)
+* `evolinux_ntp_server`: custom NTP server host or IP (default: `Null`)
+* `evolinux_additional_packages`: optional additional packages to install (default: `[]`)
+* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
+* `apt_alert_email`: email address to send APT messages to (default: `general_alert_email`).
+* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.

evolinux-base/defaults/main.yml

@@ -0,0 +1,41 @@
+---
+general_alert_email: "root@localhost"
+reboot_alert_email: Null
+apt_alert_email: Null
+log2mail_alert_email: Null
+raid_alert_email: Null
+
+# hostname
+
+evolinux_hostname: "{{ ansible_hostname }}"
+evolinux_domain: "{{ ansible_domain }}"
+evolinux_fqdn: "{{ ansible_fqdn }}"
+evolinux_internal_hostname: "{{ evolinux_hostname }}"
+
+# apt
+
+evolinux_apt_repositories_components: "main"
+evolinux_apt_hooks: False
+# kernel
+
+evolinux_kernel_reboot_after_panic: True
+evolinux_kernel_disable_tcp_timestamps: True
+evolinux_kernel_reduce_swapiness: True
+evolinux_kernel_cve20165696: True
+
+# providers
+
+evolinux_provider_online: False
+evolinux_provider_orange_fce: False
+
+# default www
+
+evolinux_default_www_redirect_url: "http://evolix.fr"
+evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}"
+evolinux_default_www_nginx_enabled: False
+evolinux_default_www_apache_enabled: False
+
+# misc.
+
+evolinux_ntp_server: Null
+evolinux_delete_nfs: True

evolinux-base/files/logs/logrotate.d/apache2-php

@@ -0,0 +1,9 @@
+/var/log/php.log {
+        weekly
+        missingok
+        rotate 52
+        compress
+        delaycompress
+        notifempty
+        create 640 www-data adm
+}

evolinux-base/files/logs/logrotate.d/apt

@@ -0,0 +1,16 @@
+/var/log/apt/term.log {
+  rotate 120
+  monthly
+  compress
+  missingok
+  notifempty
+}
+
+/var/log/apt/history.log {
+  rotate 120
+  monthly
+  compress
+  missingok
+  notifempty
+}
+

evolinux-base/files/logs/logrotate.d/bind.disabled

@@ -0,0 +1,14 @@
+/var/chroot-bind/var/log/bind.log {
+    weekly
+    missingok
+    notifempty
+    rotate 4
+    create 640 bind bind
+    compress
+    delaycompress
+    sharedscripts
+    postrotate
+        rndc reload > /dev/null
+    endscript
+}
+

evolinux-base/files/logs/logrotate.d/dhcp

@@ -0,0 +1,9 @@
+/var/log/dhcp.log {
+    weekly
+    missingok
+    rotate 52
+    compress
+    delaycompress
+    create 640 root adm
+    notifempty
+}

evolinux-base/files/logs/logrotate.d/dpkg

@@ -0,0 +1,19 @@
+/var/log/dpkg.log {
+    monthly
+    rotate 120
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 644 root root
+}
+/var/log/alternatives.log {
+    monthly
+    rotate 120
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 644 root root
+}
+

evolinux-base/files/logs/logrotate.d/freeradius

@@ -0,0 +1,8 @@
+/var/log/freeradius/*.log {
+        weekly
+        missingok
+        rotate 52
+        compress
+        delaycompress
+        notifempty
+}

evolinux-base/files/logs/logrotate.d/ftp.disabled

@@ -0,0 +1,31 @@
+/var/log/proftpd.log {
+    weekly
+    missingok
+    rotate 13
+    compress
+    delaycompress
+    notifempty
+    create 640 root adm
+    sharedscripts
+        postrotate
+            /etc/init.d/proftpd restart > /dev/null
+        endscript
+}
+
+
+/var/log/xferlog.log {
+    weekly
+    rotate 1
+    missingok
+    create 640 root adm
+    sharedscripts
+        postrotate
+            DATE=$(date +"%d-%m-%Y")
+            cd /var/log
+            ftpstats -a -r -l 2 -d i-f xferlog.log.1 2>/dev/null >xferreport.$DATE
+            mv xferlog.log.1 xferlog.log.$DATE
+            gzip xferlog.log.$DATE
+            gzip xferreport.$DATE
+       endscript
+}
+

evolinux-base/files/logs/logrotate.d/ldap

@@ -0,0 +1,9 @@
+/var/log/openldap.log {
+        weekly
+        missingok
+        rotate 3
+	compress
+	notifempty
+        create 640 root adm
+}
+

evolinux-base/files/logs/logrotate.d/lighttpd.disabled

@@ -0,0 +1,19 @@
+/var/log/lighttpd/*.log {
+        weekly
+        missingok
+        copytruncate
+        rotate 52
+        compress
+        delaycompress
+        notifempty
+        sharedscripts
+        postrotate
+           if [ -f /var/run/lighttpd.pid ]; then \
+             if [ -x /usr/sbin/invoke-rc.d ]; then \
+                invoke-rc.d lighttpd force-reload > /dev/null; \
+             else \
+                /etc/init.d/lighttpd force-reload > /dev/null; \
+             fi; \
+           fi;
+        endscript
+}

evolinux-base/files/logs/logrotate.d/lvm-common.disabled

@@ -0,0 +1,6 @@
+/var/log/lvm {
+    daily
+    rotate 3
+    missingok
+    create 0640 root adm
+}

evolinux-base/files/logs/logrotate.d/news.disabled

@@ -0,0 +1,8 @@
+/var/log/news.log {
+    monthly
+    missingok
+    notifempty
+    rotate 1
+    create 640 root adm
+}
+

evolinux-base/files/logs/logrotate.d/nginx

@@ -0,0 +1,18 @@
+/var/log/nginx/*.log {
+        weekly
+        missingok
+        rotate 52
+        compress
+        delaycompress
+        notifempty
+        create 640 root adm
+        sharedscripts
+        prerotate
+                if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+                        run-parts /etc/logrotate.d/httpd-prerotate; \
+                fi; \
+        endscript
+        postrotate
+                [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
+        endscript
+}

evolinux-base/files/logs/logrotate.d/ntp.disabled

@@ -0,0 +1,14 @@
+/var/log/ntp.log {
+    weekly
+    rotate 1
+    missingok
+    create 640 root adm
+    sharedscripts
+        postrotate
+        DATE=$(date +"%d-%m-%Y")
+        cd /var/log
+        mv ntp.log.1 ntp.log.$DATE
+        gzip ntp.log.$DATE
+    endscript
+}
+

evolinux-base/files/logs/logrotate.d/postgresql

@@ -0,0 +1,7 @@
+/var/log/postgresql.log {
+    weekly
+    missingok
+    rotate 8
+    create 640 root adm
+}
+

evolinux-base/files/logs/logrotate.d/procmail

@@ -0,0 +1,11 @@
+/var/log/procmail.log {
+    daily
+    rotate 365
+    dateext
+    dateyesterday
+    dateformat .%Y%m%d
+    missingok
+    rotate 365
+    create 640 root adm
+}
+

evolinux-base/files/logs/logrotate.d/samba

@@ -0,0 +1,14 @@
+# Attention, bien mettre "log file = /var/log/samba/%m.log" dans la conf Samba
+/var/log/samba/*.log {
+        weekly
+        missingok
+        rotate 52
+        postrotate
+                invoke-rc.d --quiet samba reload > /dev/null
+                [ ! -f /var/run/samba/nmbd.pid ] || kill -HUP `cat /var/run/samba/nmbd.pid`
+                [ -f /var/run/samba/winbindd.pid ] && kill -HUP `cat /var/run/samba/winbindd.pid` || true
+        endscript
+        compress
+        notifempty
+}
+

evolinux-base/files/logs/logrotate.d/squid3.disabled

@@ -0,0 +1,11 @@
+/var/log/squid3/*.log {
+    monthly
+    compress
+    rotate 12
+    missingok
+    create 640 proxy adm
+    sharedscripts
+    postrotate
+        test ! -e /var/run/squid3.pid || /usr/sbin/squid3 -k rotate
+    endscript
+}

evolinux-base/files/logs/logrotate.d/zsyslog

@@ -0,0 +1,35 @@
+# Custom EvoLinux
+create 640 root adm
+dateext
+dateyesterday
+dateformat .%Y%m%d
+missingok
+notifempty
+delaycompress
+compress
+postrotate
+    invoke-rc.d rsyslog rotate > /dev/null
+endscript
+
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/lpr.log
+{
+    weekly
+    rotate 5
+}
+
+/var/log/auth.log
+/var/log/user.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+/var/log/syslog
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+{
+    daily
+    rotate 365
+}

evolinux-base/files/logs/rsyslog.conf

@@ -0,0 +1,122 @@
+# Syslog for Pack Evolix serveur - Debian Squeeze
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
+#$ModLoad immark  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none;cron,mail,local4,local5.none		-/var/log/syslog
+cron.*				/var/log/cron.log
+daemon.*			-/var/log/daemon.log
+kern.*				-/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+uucp.*                          /var/log/uucp.log
+news.*                          /var/log/news.log
+
+local4.*                        -/var/log/openldap.log
+local1.*                        /var/log/sympa.log
+local0.*                        /var/log/postgresql.log
+local7.*                        -/var/log/dhcp.log
+local5.*                        -/var/log/haproxy.log
+
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+#mail.info			-/var/log/mail.info
+#mail.warn			-/var/log/mail.warn
+#mail.err			/var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+#news.crit			/var/log/news/news.crit
+#news.err			/var/log/news/news.err
+#news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+#*.=debug;\
+#	auth,authpriv.none;\
+#	news.none;mail.none	-/var/log/debug
+#*.=info;*.=notice;*.=warn;\
+#	auth,authpriv.none;\
+#	cron,daemon.none;\
+#	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+#daemon.*;mail.*;\
+#	news.err;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	|/dev/xconsole

evolinux-base/files/root/gitconfig

@@ -0,0 +1,22 @@
+[core]
+  filemode = true
+  bare = false
+[color]
+  branch = auto
+  status = auto
+  diff = auto
+  interactive = auto
+  decorate = auto
+  grep = auto
+  ui = true
+[apply]
+  whitespace = nowarn
+[alias]
+  a = add
+  aa = add -A .
+  c = commit -v
+  ca = commit -v -a
+  d = diff --ignore-space-change --patience --no-prefix
+  dw = diff --word-diff
+  lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit --date=relative
+  s = status -s -b

evolinux-base/handlers/main.yml

@@ -0,0 +1,49 @@
+---
+- name: dpkg-reconfigure-debconf
+  command: dpkg-reconfigure --frontend noninteractive debconf
+
+- name: dpkg-reconfigure-locales
+  command: dpkg-reconfigure --frontend noninteractive locales
+
+- name: dpkg-reconfigure-apt
+  command: dpkg-reconfigure --frontend noninteractive apt-listchanges
+
+# - name: debconf-set-selections
+#   command: debconf-set-selections /root/debconf-preseed
+
+- name: apt update
+  apt:
+    update_cache: yes
+
+- name: restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted
+
+
+- name: remount /home
+  command: mount -o remount /home
+
+- name: remount /var
+  command: mount -o remount /var
+
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
+
+- name: restart apache
+  service:
+    name: apache2
+    state: restarted
+
+- name: reload apache
+  service:
+    name: apache2
+    state: reloaded

evolinux-base/tasks/apt.yml

@@ -0,0 +1,55 @@
+---
+
+- name: Setting apt config
+  lineinfile:
+    dest: /etc/apt/apt.conf.d/z-evolinux.conf
+    line: "{{ item }}"
+    create: yes
+    state: present
+    mode: 0640
+  with_items:
+  - "APT::Install-Recommends \"0\";"
+  - "APT::Install-Suggests \"0\";"
+
+- name: DPKg invoke hooks
+  lineinfile:
+    dest: /etc/apt/apt.conf.d/z-evolinux.conf
+    line: "{{ item }}"
+    create: yes
+    state: present
+    mode: 0640
+  with_items:
+  - "DPkg::Pre-Invoke { \"mount -oremount,exec /tmp && mount -oremount,rw /usr || true\"; };"
+  - "DPkg::Post-Invoke { \"mount -oremount /tmp && mount -oremount /usr || exit 0\"; };"
+  when: evolinux_apt_hooks
+
+- name: Original repositories are disabled
+  replace:
+    dest: /etc/apt/sources.list
+    regexp:  '^(deb(-src)? {{ item }}.+)'
+    replace: '# \1'
+  with_items:
+  # - '.+\.debian\.org'
+  - 'cdrom:'
+
+- name: Basic sources list is installed
+  lineinfile:
+    dest: /etc/apt/sources.list
+    line: "{{ item }}"
+  with_items:
+  - "deb http://security.debian.org/ jessie/updates {{ evolinux_apt_components | mandatory }}"
+  - "deb http://mirror.evolix.org/debian/ jessie {{ evolinux_apt_components | mandatory }}"
+  - "deb http://mirror.evolix.org/debian/ jessie-updates {{ evolinux_apt_components | mandatory }}"
+
+- name: Evolix public list is installed
+  template:
+    src: apt/evolix_public.list.j2
+    dest: /etc/apt/sources.list.d/evolix_public.list
+    force: yes
+    backup: yes
+    mode: 0640
+
+- name: Upgrading system
+  apt:
+    upgrade: dist
+    update_cache: yes

evolinux-base/tasks/default_packages.yml

@@ -0,0 +1,14 @@
+---
+- name: Install/Update default packages (might take some time)
+  command: "apt-get install -yq --allow-unauthenticated {{ evolinux_default_packages | join(' ') }}"
+  register: install_default_packages
+  changed_when: not (install_default_packages.stdout | search("0 upgraded") and install_default_packages.stdout | search("0 newly installed"))
+
+- name: Deleting rpcbin and nfs-common
+  apt:
+    name: "{{ item }}"
+    state: absent
+  with_items:
+    - rpcbind
+    - nfs-common
+  when: evolinux_delete_nfs

evolinux-base/tasks/default_www.yml

@@ -0,0 +1,108 @@
+---
+- name: /var/www is present
+  file:
+    path: /var/www
+    state: directory
+    mode: 0755
+
+- name: images are copied
+  copy:
+    src: default_www/img
+    dest: /var/www/
+    mode: 0755
+    directory_mode: 0755
+    follow: yes
+
+- name: index is copied
+  template:
+    src: default_www/index.html.j2
+    dest: /var/www/index.html
+    mode: 0755
+
+# SSL cert
+
+- name: ssl-cert package is installed
+  apt:
+    name: ssl-cert
+    state: installed
+
+- name: Create private key and csr for default site ({{ ansible_fqdn }})
+  shell: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}"
+  args:
+    creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
+
+- name: Adjust rights on private key
+  file:
+    path: /etc/ssl/private/{{ ansible_fqdn }}.key
+    owner: root
+    group: ssl-cert
+    mode: 0640
+
+- name: Create certificate for default site
+  shell: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
+  args:
+    creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
+
+
+# Nginx vhost
+
+- name: is Nginx installed?
+  stat:
+    path: /etc/nginx/sites-available
+  register: nginx_sites_available
+
+- block:
+  - name: nginx vhost is installed
+    template:
+      src: default_www/nginx_default_site.j2