evolix
/
ansible-roles
17
2
Fork 2
Code Issues 61 Pull Requests 19 Releases 29 Wiki Activity

Use FQCN
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2777|524|2253|2462|:+1: Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/223//ansiblelint">Evolix » ansible-roles » unstable #223</a> Details
gitea/ansible-roles/pipeline/head This commit looks good Details 

Fully Qualified Collection Name
This commit is contained in:
Jérémy Lecour 2023-03-20 23:33:19 +01:00 committed by Jérémy Lecour
parent 7a73df6bd7
commit ee21973371
392 changed files with 2517 additions and 2298 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
amavis/handlers/main.yml
View File

@ -1,5 +1,5 @@
---
- name: restart amavis
service:
ansible.builtin.service:
name: amavis
state: restarted

4
amavis/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- name: install Amavis
apt:
ansible.builtin.apt:
name:
- postgrey
- amavisd-new
@ -9,7 +9,7 @@
- amavis
- name: configure Amavis
template:
ansible.builtin.template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults
mode: "0644"

6
amazon-ec2/amazon-ec2-evolinux.yml
View File

@ -9,10 +9,10 @@
aws_region: ca-central-1
tasks:
- include_role:
- ansible.builtin.include_role:
name: evolix/amazon-ec2
tasks_from: setup.yml
- include_role:
- ansible.builtin.include_role:
name: evolix/amazon-ec2
tasks_from: create-instance.yml
@ -51,7 +51,7 @@
- mysql
post_tasks:
- include_role:
- ansible.builtin.include_role:
name: evolix/etc-git
tasks_from: commit.yml
vars:

8
amazon-ec2/tasks/create-instance.yml
View File

@ -1,7 +1,7 @@
---
- name: Launch new instance(s)
ec2:
amazon.aws.ec2:
state: present
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
@ -16,19 +16,19 @@
register: ec2
- name: Add newly created instance(s) to inventory
add_host:
ansible.builtin.add_host:
hostname: "{{ item.public_dns_name }}"
groupname: launched-instances
ansible_user: admin
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
loop: "{{ ec2.instances }}"
- debug:
- ansible.builtin.debug:
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
loop: "{{ ec2.instances }}"
- name: Wait for SSH to come up on all instances (give up after 2m)
wait_for:
ansible.builtin.wait_for:
state: started
host: "{{ item.public_dns_name }}"
port: 22

2
amazon-ec2/tasks/post-install.yml
View File

@ -1,5 +1,5 @@
---
- name: Remove admin user
user:
ansible.builtin.user:
name: admin
state: absent

4
amazon-ec2/tasks/setup.yml
View File

@ -1,7 +1,7 @@
---
- name: Create default security group
ec2_group:
amazon.aws.ec2_group:
name: "{{ ec2_security_group.name }}"
state: present
aws_access_key: "{{ aws_access_key }}"
@ -12,7 +12,7 @@
rules_egress: "{{ ec2_security_group.rules_egress }}"
- name: Create key pair
ec2_key:
amazon.aws.ec2_key:
name: "{{ ec2_keyname }}"
state: present
aws_access_key: "{{ aws_access_key }}"

6
apache/handlers/main.yml
View File

@ -1,15 +1,15 @@
---
- name: restart apache
service:
ansible.builtin.service:
name: apache2
state: restarted
- name: reload apache
service:
ansible.builtin.service:
name: apache2
state: reloaded
- name: restart munin-node
service:
ansible.builtin.service:
name: munin-node
state: restarted

12
apache/tasks/auth.yml
View File

@ -1,7 +1,7 @@
---
- name: Init ipaddr_whitelist.conf file
copy:
ansible.builtin.copy:
src: ipaddr_whitelist.conf
dest: /etc/apache2/ipaddr_whitelist.conf
owner: root
@ -12,10 +12,10 @@
- apache
- name: Load IP whitelist task
include: ip_whitelist.yml
ansible.builtin.import_tasks: ip_whitelist.yml
- name: include private IP whitelist for server-status
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/mods-available/status.conf
line: " include /etc/apache2/ipaddr_whitelist.conf"
insertafter: 'SetHandler server-status'
@ -24,7 +24,7 @@
- apache
- name: Copy private_htpasswd
copy:
ansible.builtin.copy:
src: private_htpasswd
dest: /etc/apache2/private_htpasswd
owner: root
@ -36,7 +36,7 @@
- apache
- name: add user:pwd to private htpasswd
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: present
@ -46,7 +46,7 @@
- apache
- name: remove user:pwd from private htpasswd
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: absent

4
apache/tasks/ip_whitelist.yml
View File

@ -1,7 +1,7 @@
---
- name: add IP addresses to private IP whitelist
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
@ -12,7 +12,7 @@
- ips
- name: remove IP addresses from private IP whitelist
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: absent

4
apache/tasks/log2mail.yml
View File

@ -1,14 +1,14 @@
---
- name: log2mail is installed
apt:
ansible.builtin.apt:
name: log2mail
state: present
tags:
- apache
- name: Add log2mail config for Apache segfaults
template:
ansible.builtin.template:
src: log2mail-apache.j2
dest: "/etc/log2mail/config/apache"
owner: log2mail

46
apache/tasks/main.yml
View File

@ -1,7 +1,7 @@
---
- name: packages are installed (Debian 9 or later)
apt:
ansible.builtin.apt:
name:
- apache2
- libapache2-mod-evasive
@ -14,7 +14,7 @@
when: ansible_distribution_major_version is version('9', '>=')
- name: itk package is installed if required (Debian 9 or later)
apt:
ansible.builtin.apt:
name:
- libapache2-mpm-itk
state: present
@ -26,7 +26,7 @@
- apache_mpm == "itk"
- name: packages are installed (jessie)
apt:
ansible.builtin.apt:
name:
- apache2-mpm-itk
- libapache2-mod-evasive
@ -39,7 +39,7 @@
when: ansible_distribution_release == "jessie"
- name: basic modules are enabled
apache2_module:
community.general.apache2_module:
name: '{{ item }}'
state: present
loop:
@ -55,7 +55,7 @@
- apache
- name: basic modules are enabled
apache2_module:
community.general.apache2_module:
name: '{{ item }}'
state: present
loop:
@ -67,7 +67,7 @@
- name: Copy Apache defaults config file
copy:
ansible.builtin.copy:
src: evolinux-defaults.conf
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
owner: root
@ -79,7 +79,7 @@
- apache
- name: Copy Apache custom config file
copy:
ansible.builtin.copy:
src: evolinux-custom.conf
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
owner: root
@ -91,7 +91,7 @@
- apache
- name: disable status.conf
file:
ansible.builtin.file:
dest: /etc/apache2/mods-enabled/status.conf
state: absent
notify: reload apache
@ -99,7 +99,8 @@
- apache
- name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}"
ansible.builtin.command:
cmd: "a2enconf {{ item }}"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
loop:
@ -109,12 +110,12 @@
tags:
- apache
- include: auth.yml
- ansible.builtin.include: auth.yml
tags:
- apache
- name: default vhost is installed
template:
ansible.builtin.template:
src: evolinux-default.conf.j2
dest: /etc/apache2/sites-available/000-evolinux-default.conf
mode: "0640"
@ -124,7 +125,7 @@
- apache
- name: default vhost is enabled
file:
ansible.builtin.file:
src: /etc/apache2/sites-available/000-evolinux-default.conf
dest: /etc/apache2/sites-enabled/000-default.conf
state: link
@ -134,12 +135,13 @@
tags:
- apache
- include: server_status.yml
- ansible.builtin.include: server_status.yml
tags:
- apache
- name: is umask already present?
command: "grep -E '^umask ' /etc/apache2/envvars"
ansible.builtin.command:
cmd: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False
changed_when: False
register: envvar_grep_umask
@ -148,7 +150,7 @@
- apache
- name: Add a mark in envvars for umask
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK"
block: |
@ -159,13 +161,13 @@
tags:
- apache
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
tags:
- apache
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -175,7 +177,7 @@
- apache
- name: "Install save_apache_status.sh"
copy:
ansible.builtin.copy:
src: save_apache_status.sh
dest: /usr/share/scripts/save_apache_status.sh
mode: "0755"
@ -184,7 +186,7 @@
- apache
- name: "logrotate: {{ apache_logrotate_frequency }}"
replace:
ansible.builtin.replace:
dest: /etc/logrotate.d/apache2
regexp: "(daily|weekly|monthly)"
replace: "{{ apache_logrotate_frequency }}"
@ -192,19 +194,19 @@
- apache
- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
replace:
ansible.builtin.replace:
dest: /etc/logrotate.d/apache2
regexp: '^(\s+rotate) \d+$'
replace: '\1 {{ apache_logrotate_rotate }}'
tags:
- apache
- include: log2mail.yml
- ansible.builtin.include: log2mail.yml
when: apache_log2mail_include
tags:
- apache
- include: munin.yml
- ansible.builtin.include: munin.yml
when: apache_munin_include | bool
tags:
- apache

11
apache/tasks/munin.yml
View File

@ -1,7 +1,7 @@
---
- name: "Install munin-node and core plugins packages"
apt:
ansible.builtin.apt:
name:
- munin-node
- munin-plugins-core
@ -11,7 +11,7 @@
- munin
- name: "Enable Munin plugins"
file:
ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
@ -25,7 +25,7 @@
- munin
- name: "Install fcgi packages for Munin graphs"
apt:
ansible.builtin.apt:
name:
- libapache2-mod-fcgid
- libcgi-fast-perl
@ -36,7 +36,8 @@
- munin
- name: "Enable libapache2-mod-fcgid"
command: a2enmod fcgid
ansible.builtin.command:
cmd: a2enmod fcgid
register: cmd_enable_fcgid
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
notify: restart apache
@ -45,7 +46,7 @@
- munin
- name: "Apache has access to /var/log/munin/"
file:
ansible.builtin.file:
path: /var/log/munin/
group: www-data
tags:

26
apache/tasks/server_status.yml
View File

@ -1,7 +1,7 @@
---
- name: server status dirname exists
file:
ansible.builtin.file:
dest: "{{ apache_serverstatus_suffix_file | dirname }}"
mode: "0700"
owner: root
@ -9,7 +9,7 @@
state: directory
- name: set apache serverstatus suffix if provided
copy:
ansible.builtin.copy:
dest: "{{ apache_serverstatus_suffix_file }}"
# The last character "\u000A" is a line feed (LF), it's better to keep it
content: "{{ apache_serverstatus_suffix }}\u000A"
@ -17,51 +17,53 @@
when: apache_serverstatus_suffix | length > 0
- name: generate random string for server-status suffix
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
ansible.builtin.shell:
cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
args:
creates: "{{ apache_serverstatus_suffix_file }}"
- name: read apache server status suffix
command: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
ansible.builtin.command:
cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
changed_when: False
check_mode: no
register: new_apache_serverstatus_suffix
- name: overwrite apache_serverstatus_suffix
set_fact:
ansible.builtin.set_fact:
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
- debug:
- ansible.builtin.debug:
var: apache_serverstatus_suffix
verbosity: 1
- name: replace server-status suffix in default site index
replace:
ansible.builtin.replace:
dest: /var/www/index.html
regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ apache_serverstatus_suffix }}"
- name: add server-status suffix in default site index if missing
replace:
ansible.builtin.replace:
dest: /var/www/index.html
regexp: '"/server-status-?"'
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
- name: add server-status suffix in default VHost
replace:
ansible.builtin.replace:
dest: /etc/apache2/sites-available/000-evolinux-default.conf
regexp: '<Location /server-status-?>'
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
notify: reload apache
- name: Munin configuration has a section for apache
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "[apache_*]"
create: no
- name: apache-status URL is configured for Munin
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
regexp: 'env.url http://[^\\/]+/server-status'
@ -70,7 +72,7 @@
notify: restart munin-node
- name: add mailgraph URL in index.html
lineinfile:
ansible.builtin.lineinfile:
dest: /var/www/index.html
state: present
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'

6
apt/tasks/backports.deb822.yml
View File

@ -1,7 +1,7 @@
---
- name: Backports deb822 sources list is installed
template:
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.sources.j2'
dest: /etc/apt/sources.list.d/backports.sources
force: yes
@ -11,7 +11,7 @@
- apt
- name: Backports configuration
copy:
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
@ -21,7 +21,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
when: apt_backports_sources is changed or apt_backports_config is changed
tags:

10
apt/tasks/backports.oneline.yml
View File

@ -1,6 +1,6 @@
---
- name: No backports config in default sources.list
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
@ -8,7 +8,7 @@
- apt
- name: Backports sources list is installed
template:
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: yes
@ -18,7 +18,7 @@
- apt
- name: Backports configuration
copy:
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
@ -28,7 +28,7 @@
- apt
- name: Archived backport are accepted (jessie)
lineinfile:
ansible.builtin.lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
@ -38,7 +38,7 @@
when: ansible_distribution_release == "jessie"
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

4
apt/tasks/backports.yml
View File

@ -3,11 +3,11 @@
# Backward compatibility task file
- name: Install backports repositories (Debian <12)
import_tasks: backports.oneline.yml
ansible.builtin.import_tasks: backports.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Install backports repositories (Debian >=12)
import_tasks: backports.deb822.yml
ansible.builtin.import_tasks: backports.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

9
apt/tasks/basics.deb822.yml
View File

@ -1,7 +1,7 @@
---
- name: Change basics repositories
template:
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.sources.j2"
dest: /etc/apt/sources.list.d/system.sources
mode: "0644"
@ -11,7 +11,7 @@
- apt
- name: Change security repositories
template:
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_security.sources.j2"
dest: /etc/apt/sources.list.d/security.sources
mode: "0644"
@ -27,7 +27,8 @@
register: list_files
- name: Disable one-line-formatted sources
command: "mv --verbose {{ item.path }} {{ item.path }}.bak"
ansible.builtin.command:
cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak"
environment:
LC_ALL: C
loop: "{{ list_files.files }}"
@ -37,7 +38,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

4
apt/tasks/basics.oneline.yml
View File

@ -1,7 +1,7 @@
---
- name: Change basics repositories
template:
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
@ -11,7 +11,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

4
apt/tasks/basics.yml
View File

@ -3,11 +3,11 @@
# Backward compatibility task file
- name: Install basics repositories (Debian <12)
import_tasks: basics.oneline.yml
ansible.builtin.import_tasks: basics.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Install basics repositories (Debian >=12)
import_tasks: basics.deb822.yml
ansible.builtin.import_tasks: basics.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

6
apt/tasks/config.yml
View File

@ -1,7 +1,7 @@
---
- name: Evolinux config for APT
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
@ -17,7 +17,7 @@
when: apt_evolinux_config | bool
- name: DPkg invoke hooks
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item }}"
create: yes
@ -33,7 +33,7 @@
when: apt_hooks | bool
- name: Remove Aptitude
apt:
ansible.builtin.apt:
name: aptitude
state: absent
tags:

10
apt/tasks/evolix_public.deb822.yml
View File

@ -1,14 +1,14 @@
---
- name: Look for legacy apt keyring
stat:
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
apt_key:
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
@ -17,7 +17,7 @@
when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key
copy:
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
@ -28,7 +28,7 @@
- apt
- name: Evolix public list is installed
template:
ansible.builtin.template:
src: evolix_public.sources.j2
dest: /etc/apt/sources.list.d/evolix_public.sources
force: yes
@ -38,7 +38,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

10
apt/tasks/evolix_public.oneline.yml
View File

@ -1,14 +1,14 @@
---
- name: Look for legacy apt keyring
stat:
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
apt_key:
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
@ -17,7 +17,7 @@
when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key
copy:
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
@ -28,7 +28,7 @@
- apt
- name: Evolix public list is installed
template:
ansible.builtin.template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
@ -38,7 +38,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

4
apt/tasks/evolix_public.yml
View File

@ -3,11 +3,11 @@
# Backward compatibility task file
- name: Install Evolix Public repositories (Debian <12)
import_tasks: evolix_public.oneline.yml
ansible.builtin.import_tasks: evolix_public.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12)
import_tasks: evolix_public.deb822.yml
ansible.builtin.import_tasks: evolix_public.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

25
apt/tasks/hold_packages.yml
View File

@ -1,11 +1,11 @@
---
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: "hold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
executable: /bin/bash
check_mode: no
register: apt_mark
@ -18,7 +18,7 @@
- apt
- name: "/etc/evolinux is present"
file:
ansible.builtin.file:
dest: /etc/evolinux
mode: "0700"
state: directory
@ -26,7 +26,7 @@
- apt
- name: "hold packages (config)"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -36,8 +36,8 @@
- apt
- name: "unhold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
executable: /bin/bash
check_mode: no
register: apt_mark
@ -48,7 +48,7 @@
- apt
- name: "unhold packages (config)"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -58,7 +58,7 @@
- apt
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -68,7 +68,7 @@
- apt
- name: Check scripts is installed
copy:
ansible.builtin.copy:
src: check_held_packages.sh
dest: /usr/share/scripts/check_held_packages.sh
force: yes
@ -77,7 +77,8 @@
- apt
- name: Check if Cron is installed
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
ansible.builtin.shell:
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
register: is_cron
changed_when: False
failed_when: False
@ -86,7 +87,7 @@
- apt
- name: Check for held packages (script)
cron:
ansible.builtin.cron:
cron_file: apt-hold-packages
name: check_held_packages
job: "/usr/share/scripts/check_held_packages.sh"

28
apt/tasks/main.yml
View File

@ -1,7 +1,7 @@
---
- name: "Compatibility check"
assert:
ansible.builtin.assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=')
@ -10,7 +10,7 @@
- apt
- name: "apt-transport-https is installed for https repositories (before Buster)"
apt:
ansible.builtin.apt:
name:
- apt-transport-https
tags:
@ -18,20 +18,20 @@
when: ansible_distribution_major_version is version('10', '<')
- name: "certificates are installed for https repositories"
apt:
ansible.builtin.apt:
name:
- ca-certificates
tags:
- apt
- name: Custom configuration
import_tasks: config.yml
ansible.builtin.import_tasks: config.yml
when: apt_config | bool
tags:
- apt
- name: Install basics repositories (Debian <12)
import_tasks: basics.oneline.yml
ansible.builtin.import_tasks: basics.oneline.yml
tags:
- apt
when:
@ -39,7 +39,7 @@
- ansible_distribution_major_version is version('12', '<')
- name: Install basics repositories (Debian >=12)
import_tasks: basics.deb822.yml
ansible.builtin.import_tasks: basics.deb822.yml
tags:
- apt
when:
@ -47,7 +47,7 @@
- ansible_distribution_major_version is version('12', '>=')
- name: Install backports repositories (Debian <12)
import_tasks: backports.oneline.yml
ansible.builtin.import_tasks: backports.oneline.yml
tags:
- apt
when:
@ -57,7 +57,7 @@
# With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports`
- name: Install backports repositories (Debian >=12)
import_tasks: backports.deb822.yml
ansible.builtin.import_tasks: backports.deb822.yml
tags:
- apt
when:
@ -65,7 +65,7 @@
- name: Install Evolix Public repositories (Debian <12)
import_tasks: evolix_public.oneline.yml
ansible.builtin.import_tasks: evolix_public.oneline.yml
tags:
- apt
when:
@ -73,7 +73,7 @@
- ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12)
import_tasks: evolix_public.deb822.yml
ansible.builtin.import_tasks: evolix_public.deb822.yml
tags:
- apt
when:
@ -81,7 +81,7 @@
- ansible_distribution_major_version is version('12', '>=')
- name: Clean GANDI sources
file:
ansible.builtin.file:
path: '{{ item }}'
state: absent
loop:
@ -97,20 +97,20 @@
- name: Install check for packages marked hold
import_tasks: hold_packages.yml
ansible.builtin.import_tasks: hold_packages.yml
when: apt_install_hold_packages | bool
tags:
- apt
- name: Updating APT cache
apt:
ansible.builtin.apt:
update_cache: yes
changed_when: False
tags:
- apt
- name: Upgrading system
apt:
ansible.builtin.apt:
upgrade: dist
when: apt_upgrade | bool
tags:

9
apt/tasks/migrate-to-deb822.yml
View File

@ -1,9 +1,9 @@
---
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -13,7 +13,7 @@
- apt
- name: Migration scripts are installed
copy:
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/share/scripts/{{ item }}"
force: yes
@ -25,7 +25,8 @@
- apt
- name: Exec migration script
command: /usr/share/scripts/deb822-migration.sh
ansible.builtin.command:
cmd: /usr/share/scripts/deb822-migration.sh
ignore_errors: yes
tags:
- apt

13
apt/tasks/move-apt-keyring.yml
View File

@ -1,18 +1,18 @@
---
- name: New APT keyrings directory is present
file:
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
owner: root
group: root
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -22,7 +22,7 @@
- apt
- name: migration script is present
copy:
ansible.builtin.copy:
src: move-apt-keyrings.sh
dest: /usr/share/scripts/move-apt-keyrings.sh
mode: "0755"
@ -30,7 +30,8 @@
group: root
- name: Move repository signing key
command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
ansible.builtin.command:
cmd: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
loop:
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
@ -48,5 +49,5 @@
register: _cmd
- name: Debug command
debug:
ansible.builtin.debug:
var: _cmd

8
bind/handlers/main.yml
View File

@ -1,21 +1,21 @@
---
- name: reload systemd
systemd:
ansible.builtin.systemd:
daemon-reload: yes
- name: restart apparmor
systemd:
ansible.builtin.systemd:
name: apparmor
state: restarted
- name: restart bind
systemd:
ansible.builtin.systemd:
name: bind9
state: restarted
- name: restart munin-node
systemd:
ansible.builtin.systemd:
name: munin-node
state: restarted

2
bind/tasks/authoritative.yml
View File

@ -1,7 +1,7 @@
---
- name: Set bind configuration for authoritative server
template:
ansible.builtin.template:
src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options
owner: bind

32
bind/tasks/main.yml
View File

@ -1,6 +1,6 @@
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
- name: set chroot variables
set_fact:
ansible.builtin.set_fact:
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind
@ -9,14 +9,15 @@
when: bind_chroot_set | bool
- name: Check AppArmor
shell: systemctl is-active apparmor || systemctl is-enabled apparmor
ansible.builtin.shell:
cmd: systemctl is-active apparmor || systemctl is-enabled apparmor
failed_when: False
changed_when: False
check_mode: no
register: check_apparmor
- name: configure apparmor
template:
ansible.builtin.template:
src: apparmor.usr.sbin.named.j2
dest: /etc/apparmor.d/usr.sbin.named
owner: root
@ -27,20 +28,20 @@
when: check_apparmor.rc == 0
- name: package are installed
apt:
ansible.builtin.apt:
name:
- bind9
- dnstop
state: present
- include: authoritative.yml
- ansible.builtin.include: authoritative.yml
when: bind_authoritative_server | bool
- include: recursive.yml
- ansible.builtin.include: recursive.yml
when: bind_recursive_server | bool
- name: Create systemd service for Debian 8 (Jessie)
template:
ansible.builtin.template:
src: bind9.service.jessie.j2
dest: "{{ bind_systemd_service_path }}"
owner: root
@ -53,7 +54,7 @@
when: ansible_distribution_release == "jessie"
- name: "touch {{ bind_log_file }} if non chroot"
file:
ansible.builtin.file:
path: "{{ bind_log_file }}"
owner: bind
group: adm
@ -62,7 +63,7 @@
when: not (bind_chroot_set | bool)
- name: "touch {{ bind_query_file }} if non chroot"
file:
ansible.builtin.file:
path: "{{ bind_query_file }}"
owner: bind
group: adm
@ -71,7 +72,7 @@
when: not (bind_chroot_set | bool)
- name: send chroot-bind.sh in /root
copy:
ansible.builtin.copy:
src: chroot-bind.sh
dest: /root/chroot-bind.sh
mode: "0700"
@ -81,19 +82,20 @@
when: bind_chroot_set | bool
- name: exec chroot-bind.sh
command: "/root/chroot-bind.sh"
ansible.builtin.command:
cmd: "/root/chroot-bind.sh"
register: chrootbind_run
changed_when: False
when: bind_chroot_set | bool
- debug:
- ansible.builtin.debug:
var: chrootbind_run.stdout_lines
when:
- bind_chroot_set | bool
- chrootbind_run.stdout | length > 0
- name: Modify OPTIONS in /etc/default/bind9 for chroot
replace:
ansible.builtin.replace:
dest: /etc/default/bind9
regexp: '^OPTIONS=.*'
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
@ -101,7 +103,7 @@
when: bind_chroot_set | bool
- name: logrotate for bind
template:
ansible.builtin.template:
src: logrotate_bind.j2
dest: /etc/logrotate.d/bind9
owner: root
@ -110,4 +112,4 @@
force: yes
notify: restart bind
- include: munin.yml
- ansible.builtin.include: munin.yml

22
bind/tasks/munin.yml
View File

@ -1,7 +1,7 @@
---
- name: is Munin present ?
stat:
ansible.builtin.stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: munin_node_plugins_config
@ -10,7 +10,7 @@
- munin
- name: Enable munin plugins for authoritative server
file:
ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
@ -18,31 +18,31 @@
- bind9
- bind9_rndc