Use FQCN
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2777|524|2253|2462|:+1: Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/223//ansiblelint">Evolix » ansible-roles » unstable #223</a>
gitea/ansible-roles/pipeline/head This commit looks good

Fully Qualified Collection Name
This commit is contained in:
Jérémy Lecour 2023-03-20 23:33:19 +01:00 committed by Jérémy Lecour
parent 7a73df6bd7
commit ee21973371
392 changed files with 2517 additions and 2298 deletions

View file

@ -1,5 +1,5 @@
---
- name: restart amavis
service:
ansible.builtin.service:
name: amavis
state: restarted

View file

@ -1,6 +1,6 @@
---
- name: install Amavis
apt:
ansible.builtin.apt:
name:
- postgrey
- amavisd-new
@ -9,7 +9,7 @@
- amavis
- name: configure Amavis
template:
ansible.builtin.template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults
mode: "0644"

View file

@ -9,10 +9,10 @@
aws_region: ca-central-1
tasks:
- include_role:
- ansible.builtin.include_role:
name: evolix/amazon-ec2
tasks_from: setup.yml
- include_role:
- ansible.builtin.include_role:
name: evolix/amazon-ec2
tasks_from: create-instance.yml
@ -51,7 +51,7 @@
- mysql
post_tasks:
- include_role:
- ansible.builtin.include_role:
name: evolix/etc-git
tasks_from: commit.yml
vars:

View file

@ -1,7 +1,7 @@
---
- name: Launch new instance(s)
ec2:
amazon.aws.ec2:
state: present
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
@ -16,19 +16,19 @@
register: ec2
- name: Add newly created instance(s) to inventory
add_host:
ansible.builtin.add_host:
hostname: "{{ item.public_dns_name }}"
groupname: launched-instances
ansible_user: admin
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
loop: "{{ ec2.instances }}"
- debug:
- ansible.builtin.debug:
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
loop: "{{ ec2.instances }}"
- name: Wait for SSH to come up on all instances (give up after 2m)
wait_for:
ansible.builtin.wait_for:
state: started
host: "{{ item.public_dns_name }}"
port: 22

View file

@ -1,5 +1,5 @@
---
- name: Remove admin user
user:
ansible.builtin.user:
name: admin
state: absent

View file

@ -1,7 +1,7 @@
---
- name: Create default security group
ec2_group:
amazon.aws.ec2_group:
name: "{{ ec2_security_group.name }}"
state: present
aws_access_key: "{{ aws_access_key }}"
@ -12,7 +12,7 @@
rules_egress: "{{ ec2_security_group.rules_egress }}"
- name: Create key pair
ec2_key:
amazon.aws.ec2_key:
name: "{{ ec2_keyname }}"
state: present
aws_access_key: "{{ aws_access_key }}"

View file

@ -1,15 +1,15 @@
---
- name: restart apache
service:
ansible.builtin.service:
name: apache2
state: restarted
- name: reload apache
service:
ansible.builtin.service:
name: apache2
state: reloaded
- name: restart munin-node
service:
ansible.builtin.service:
name: munin-node
state: restarted

View file

@ -1,7 +1,7 @@
---
- name: Init ipaddr_whitelist.conf file
copy:
ansible.builtin.copy:
src: ipaddr_whitelist.conf
dest: /etc/apache2/ipaddr_whitelist.conf
owner: root
@ -12,10 +12,10 @@
- apache
- name: Load IP whitelist task
include: ip_whitelist.yml
ansible.builtin.import_tasks: ip_whitelist.yml
- name: include private IP whitelist for server-status
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/mods-available/status.conf
line: " include /etc/apache2/ipaddr_whitelist.conf"
insertafter: 'SetHandler server-status'
@ -24,7 +24,7 @@
- apache
- name: Copy private_htpasswd
copy:
ansible.builtin.copy:
src: private_htpasswd
dest: /etc/apache2/private_htpasswd
owner: root
@ -36,7 +36,7 @@
- apache
- name: add user:pwd to private htpasswd
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: present
@ -46,7 +46,7 @@
- apache
- name: remove user:pwd from private htpasswd
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: absent

View file

@ -1,7 +1,7 @@
---
- name: add IP addresses to private IP whitelist
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
@ -12,7 +12,7 @@
- ips
- name: remove IP addresses from private IP whitelist
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: absent

View file

@ -1,14 +1,14 @@
---
- name: log2mail is installed
apt:
ansible.builtin.apt:
name: log2mail
state: present
tags:
- apache
- name: Add log2mail config for Apache segfaults
template:
ansible.builtin.template:
src: log2mail-apache.j2
dest: "/etc/log2mail/config/apache"
owner: log2mail

View file

@ -1,7 +1,7 @@
---
- name: packages are installed (Debian 9 or later)
apt:
ansible.builtin.apt:
name:
- apache2
- libapache2-mod-evasive
@ -14,7 +14,7 @@
when: ansible_distribution_major_version is version('9', '>=')
- name: itk package is installed if required (Debian 9 or later)
apt:
ansible.builtin.apt:
name:
- libapache2-mpm-itk
state: present
@ -26,7 +26,7 @@
- apache_mpm == "itk"
- name: packages are installed (jessie)
apt:
ansible.builtin.apt:
name:
- apache2-mpm-itk
- libapache2-mod-evasive
@ -39,7 +39,7 @@
when: ansible_distribution_release == "jessie"
- name: basic modules are enabled
apache2_module:
community.general.apache2_module:
name: '{{ item }}'
state: present
loop:
@ -55,7 +55,7 @@
- apache
- name: basic modules are enabled
apache2_module:
community.general.apache2_module:
name: '{{ item }}'
state: present
loop:
@ -67,7 +67,7 @@
- name: Copy Apache defaults config file
copy:
ansible.builtin.copy:
src: evolinux-defaults.conf
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
owner: root
@ -79,7 +79,7 @@
- apache
- name: Copy Apache custom config file
copy:
ansible.builtin.copy:
src: evolinux-custom.conf
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
owner: root
@ -91,7 +91,7 @@
- apache
- name: disable status.conf
file:
ansible.builtin.file:
dest: /etc/apache2/mods-enabled/status.conf
state: absent
notify: reload apache
@ -99,7 +99,8 @@
- apache
- name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}"
ansible.builtin.command:
cmd: "a2enconf {{ item }}"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
loop:
@ -109,12 +110,12 @@
tags:
- apache
- include: auth.yml
- ansible.builtin.include: auth.yml
tags:
- apache
- name: default vhost is installed
template:
ansible.builtin.template:
src: evolinux-default.conf.j2
dest: /etc/apache2/sites-available/000-evolinux-default.conf
mode: "0640"
@ -124,7 +125,7 @@
- apache
- name: default vhost is enabled
file:
ansible.builtin.file:
src: /etc/apache2/sites-available/000-evolinux-default.conf
dest: /etc/apache2/sites-enabled/000-default.conf
state: link
@ -134,12 +135,13 @@
tags:
- apache
- include: server_status.yml
- ansible.builtin.include: server_status.yml
tags:
- apache
- name: is umask already present?
command: "grep -E '^umask ' /etc/apache2/envvars"
ansible.builtin.command:
cmd: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False
changed_when: False
register: envvar_grep_umask
@ -148,7 +150,7 @@
- apache
- name: Add a mark in envvars for umask
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK"
block: |
@ -159,13 +161,13 @@
tags:
- apache
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
tags:
- apache
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -175,7 +177,7 @@
- apache
- name: "Install save_apache_status.sh"
copy:
ansible.builtin.copy:
src: save_apache_status.sh
dest: /usr/share/scripts/save_apache_status.sh
mode: "0755"
@ -184,7 +186,7 @@
- apache
- name: "logrotate: {{ apache_logrotate_frequency }}"
replace:
ansible.builtin.replace:
dest: /etc/logrotate.d/apache2
regexp: "(daily|weekly|monthly)"
replace: "{{ apache_logrotate_frequency }}"
@ -192,19 +194,19 @@
- apache
- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
replace:
ansible.builtin.replace:
dest: /etc/logrotate.d/apache2
regexp: '^(\s+rotate) \d+$'
replace: '\1 {{ apache_logrotate_rotate }}'
tags:
- apache
- include: log2mail.yml
- ansible.builtin.include: log2mail.yml
when: apache_log2mail_include
tags:
- apache
- include: munin.yml
- ansible.builtin.include: munin.yml
when: apache_munin_include | bool
tags:
- apache

View file

@ -1,7 +1,7 @@
---
- name: "Install munin-node and core plugins packages"
apt:
ansible.builtin.apt:
name:
- munin-node
- munin-plugins-core
@ -11,7 +11,7 @@
- munin
- name: "Enable Munin plugins"
file:
ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
@ -25,7 +25,7 @@
- munin
- name: "Install fcgi packages for Munin graphs"
apt:
ansible.builtin.apt:
name:
- libapache2-mod-fcgid
- libcgi-fast-perl
@ -36,7 +36,8 @@
- munin
- name: "Enable libapache2-mod-fcgid"
command: a2enmod fcgid
ansible.builtin.command:
cmd: a2enmod fcgid
register: cmd_enable_fcgid
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
notify: restart apache
@ -45,7 +46,7 @@
- munin
- name: "Apache has access to /var/log/munin/"
file:
ansible.builtin.file:
path: /var/log/munin/
group: www-data
tags:

View file

@ -1,7 +1,7 @@
---
- name: server status dirname exists
file:
ansible.builtin.file:
dest: "{{ apache_serverstatus_suffix_file | dirname }}"
mode: "0700"
owner: root
@ -9,7 +9,7 @@
state: directory
- name: set apache serverstatus suffix if provided
copy:
ansible.builtin.copy:
dest: "{{ apache_serverstatus_suffix_file }}"
# The last character "\u000A" is a line feed (LF), it's better to keep it
content: "{{ apache_serverstatus_suffix }}\u000A"
@ -17,51 +17,53 @@
when: apache_serverstatus_suffix | length > 0
- name: generate random string for server-status suffix
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
ansible.builtin.shell:
cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
args:
creates: "{{ apache_serverstatus_suffix_file }}"
- name: read apache server status suffix
command: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
ansible.builtin.command:
cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
changed_when: False
check_mode: no
register: new_apache_serverstatus_suffix
- name: overwrite apache_serverstatus_suffix
set_fact:
ansible.builtin.set_fact:
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
- debug:
- ansible.builtin.debug:
var: apache_serverstatus_suffix
verbosity: 1
- name: replace server-status suffix in default site index
replace:
ansible.builtin.replace:
dest: /var/www/index.html
regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ apache_serverstatus_suffix }}"
- name: add server-status suffix in default site index if missing
replace:
ansible.builtin.replace:
dest: /var/www/index.html
regexp: '"/server-status-?"'
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
- name: add server-status suffix in default VHost
replace:
ansible.builtin.replace:
dest: /etc/apache2/sites-available/000-evolinux-default.conf
regexp: '<Location /server-status-?>'
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
notify: reload apache
- name: Munin configuration has a section for apache
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "[apache_*]"
create: no
- name: apache-status URL is configured for Munin
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
regexp: 'env.url http://[^\\/]+/server-status'
@ -70,7 +72,7 @@
notify: restart munin-node
- name: add mailgraph URL in index.html
lineinfile:
ansible.builtin.lineinfile:
dest: /var/www/index.html
state: present
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'

View file

@ -1,7 +1,7 @@
---
- name: Backports deb822 sources list is installed
template:
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.sources.j2'
dest: /etc/apt/sources.list.d/backports.sources
force: yes
@ -11,7 +11,7 @@
- apt
- name: Backports configuration
copy:
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
@ -21,7 +21,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
when: apt_backports_sources is changed or apt_backports_config is changed
tags:

View file

@ -1,6 +1,6 @@
---
- name: No backports config in default sources.list
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
@ -8,7 +8,7 @@
- apt
- name: Backports sources list is installed
template:
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: yes
@ -18,7 +18,7 @@
- apt
- name: Backports configuration
copy:
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
@ -28,7 +28,7 @@
- apt
- name: Archived backport are accepted (jessie)
lineinfile:
ansible.builtin.lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
@ -38,7 +38,7 @@
when: ansible_distribution_release == "jessie"
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

View file

@ -3,11 +3,11 @@
# Backward compatibility task file
- name: Install backports repositories (Debian <12)
import_tasks: backports.oneline.yml
ansible.builtin.import_tasks: backports.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Install backports repositories (Debian >=12)
import_tasks: backports.deb822.yml
ansible.builtin.import_tasks: backports.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

View file

@ -1,7 +1,7 @@
---
- name: Change basics repositories
template:
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.sources.j2"
dest: /etc/apt/sources.list.d/system.sources
mode: "0644"
@ -11,7 +11,7 @@
- apt
- name: Change security repositories
template:
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_security.sources.j2"
dest: /etc/apt/sources.list.d/security.sources
mode: "0644"
@ -27,7 +27,8 @@
register: list_files
- name: Disable one-line-formatted sources
command: "mv --verbose {{ item.path }} {{ item.path }}.bak"
ansible.builtin.command:
cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak"
environment:
LC_ALL: C
loop: "{{ list_files.files }}"
@ -37,7 +38,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

View file

@ -1,7 +1,7 @@
---
- name: Change basics repositories
template:
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
@ -11,7 +11,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

View file

@ -3,11 +3,11 @@
# Backward compatibility task file
- name: Install basics repositories (Debian <12)
import_tasks: basics.oneline.yml
ansible.builtin.import_tasks: basics.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Install basics repositories (Debian >=12)
import_tasks: basics.deb822.yml
ansible.builtin.import_tasks: basics.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

View file

@ -1,7 +1,7 @@
---
- name: Evolinux config for APT
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
@ -17,7 +17,7 @@
when: apt_evolinux_config | bool
- name: DPkg invoke hooks
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item }}"
create: yes
@ -33,7 +33,7 @@
when: apt_hooks | bool
- name: Remove Aptitude
apt:
ansible.builtin.apt:
name: aptitude
state: absent
tags:

View file

@ -1,14 +1,14 @@
---
- name: Look for legacy apt keyring
stat:
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
apt_key:
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
@ -17,7 +17,7 @@
when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key
copy:
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
@ -28,7 +28,7 @@
- apt
- name: Evolix public list is installed
template:
ansible.builtin.template:
src: evolix_public.sources.j2
dest: /etc/apt/sources.list.d/evolix_public.sources
force: yes
@ -38,7 +38,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

View file

@ -1,14 +1,14 @@
---
- name: Look for legacy apt keyring
stat:
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
apt_key:
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
@ -17,7 +17,7 @@
when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key
copy:
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
@ -28,7 +28,7 @@
- apt
- name: Evolix public list is installed
template:
ansible.builtin.template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
@ -38,7 +38,7 @@
- apt
- name: Apt update
apt:
ansible.builtin.apt:
update_cache: yes
tags:
- apt

View file

@ -3,11 +3,11 @@
# Backward compatibility task file
- name: Install Evolix Public repositories (Debian <12)
import_tasks: evolix_public.oneline.yml
ansible.builtin.import_tasks: evolix_public.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12)
import_tasks: evolix_public.deb822.yml
ansible.builtin.import_tasks: evolix_public.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

View file

@ -1,11 +1,11 @@
---
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: "hold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
executable: /bin/bash
check_mode: no
register: apt_mark
@ -18,7 +18,7 @@
- apt
- name: "/etc/evolinux is present"
file:
ansible.builtin.file:
dest: /etc/evolinux
mode: "0700"
state: directory
@ -26,7 +26,7 @@
- apt
- name: "hold packages (config)"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -36,8 +36,8 @@
- apt
- name: "unhold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
executable: /bin/bash
check_mode: no
register: apt_mark
@ -48,7 +48,7 @@
- apt
- name: "unhold packages (config)"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -58,7 +58,7 @@
- apt
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -68,7 +68,7 @@
- apt
- name: Check scripts is installed
copy:
ansible.builtin.copy:
src: check_held_packages.sh
dest: /usr/share/scripts/check_held_packages.sh
force: yes
@ -77,7 +77,8 @@
- apt
- name: Check if Cron is installed
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
ansible.builtin.shell:
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
register: is_cron
changed_when: False
failed_when: False
@ -86,7 +87,7 @@
- apt
- name: Check for held packages (script)
cron:
ansible.builtin.cron:
cron_file: apt-hold-packages
name: check_held_packages
job: "/usr/share/scripts/check_held_packages.sh"

View file

@ -1,7 +1,7 @@
---
- name: "Compatibility check"
assert:
ansible.builtin.assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=')
@ -10,7 +10,7 @@
- apt
- name: "apt-transport-https is installed for https repositories (before Buster)"
apt:
ansible.builtin.apt:
name:
- apt-transport-https
tags:
@ -18,20 +18,20 @@
when: ansible_distribution_major_version is version('10', '<')
- name: "certificates are installed for https repositories"
apt:
ansible.builtin.apt:
name:
- ca-certificates
tags:
- apt
- name: Custom configuration
import_tasks: config.yml
ansible.builtin.import_tasks: config.yml
when: apt_config | bool
tags:
- apt
- name: Install basics repositories (Debian <12)
import_tasks: basics.oneline.yml
ansible.builtin.import_tasks: basics.oneline.yml
tags:
- apt
when:
@ -39,7 +39,7 @@
- ansible_distribution_major_version is version('12', '<')
- name: Install basics repositories (Debian >=12)
import_tasks: basics.deb822.yml
ansible.builtin.import_tasks: basics.deb822.yml
tags:
- apt
when:
@ -47,7 +47,7 @@
- ansible_distribution_major_version is version('12', '>=')
- name: Install backports repositories (Debian <12)
import_tasks: backports.oneline.yml
ansible.builtin.import_tasks: backports.oneline.yml
tags:
- apt
when:
@ -57,7 +57,7 @@
# With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports`
- name: Install backports repositories (Debian >=12)
import_tasks: backports.deb822.yml
ansible.builtin.import_tasks: backports.deb822.yml
tags:
- apt
when:
@ -65,7 +65,7 @@
- name: Install Evolix Public repositories (Debian <12)
import_tasks: evolix_public.oneline.yml
ansible.builtin.import_tasks: evolix_public.oneline.yml
tags:
- apt
when:
@ -73,7 +73,7 @@
- ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12)
import_tasks: evolix_public.deb822.yml
ansible.builtin.import_tasks: evolix_public.deb822.yml
tags:
- apt
when:
@ -81,7 +81,7 @@
- ansible_distribution_major_version is version('12', '>=')
- name: Clean GANDI sources
file:
ansible.builtin.file:
path: '{{ item }}'
state: absent
loop:
@ -97,20 +97,20 @@
- name: Install check for packages marked hold
import_tasks: hold_packages.yml
ansible.builtin.import_tasks: hold_packages.yml
when: apt_install_hold_packages | bool
tags:
- apt
- name: Updating APT cache
apt:
ansible.builtin.apt:
update_cache: yes
changed_when: False
tags:
- apt
- name: Upgrading system
apt:
ansible.builtin.apt:
upgrade: dist
when: apt_upgrade | bool
tags:

View file

@ -1,9 +1,9 @@
---
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -13,7 +13,7 @@
- apt
- name: Migration scripts are installed
copy:
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/share/scripts/{{ item }}"
force: yes
@ -25,7 +25,8 @@
- apt
- name: Exec migration script
command: /usr/share/scripts/deb822-migration.sh
ansible.builtin.command:
cmd: /usr/share/scripts/deb822-migration.sh
ignore_errors: yes
tags:
- apt

View file

@ -1,18 +1,18 @@
---
- name: New APT keyrings directory is present
file:
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
owner: root
group: root
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -22,7 +22,7 @@
- apt
- name: migration script is present
copy:
ansible.builtin.copy:
src: move-apt-keyrings.sh
dest: /usr/share/scripts/move-apt-keyrings.sh
mode: "0755"
@ -30,7 +30,8 @@
group: root
- name: Move repository signing key
command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
ansible.builtin.command:
cmd: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
loop:
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
@ -48,5 +49,5 @@
register: _cmd
- name: Debug command
debug:
ansible.builtin.debug:
var: _cmd

View file

@ -1,21 +1,21 @@
---
- name: reload systemd
systemd:
ansible.builtin.systemd:
daemon-reload: yes
- name: restart apparmor
systemd:
ansible.builtin.systemd:
name: apparmor
state: restarted
- name: restart bind
systemd:
ansible.builtin.systemd:
name: bind9
state: restarted
- name: restart munin-node
systemd:
ansible.builtin.systemd:
name: munin-node
state: restarted

View file

@ -1,7 +1,7 @@
---
- name: Set bind configuration for authoritative server
template:
ansible.builtin.template:
src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options
owner: bind

View file

@ -1,6 +1,6 @@
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
- name: set chroot variables
set_fact:
ansible.builtin.set_fact:
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind
@ -9,14 +9,15 @@
when: bind_chroot_set | bool
- name: Check AppArmor
shell: systemctl is-active apparmor || systemctl is-enabled apparmor
ansible.builtin.shell:
cmd: systemctl is-active apparmor || systemctl is-enabled apparmor
failed_when: False
changed_when: False
check_mode: no
register: check_apparmor
- name: configure apparmor
template:
ansible.builtin.template:
src: apparmor.usr.sbin.named.j2
dest: /etc/apparmor.d/usr.sbin.named
owner: root
@ -27,20 +28,20 @@
when: check_apparmor.rc == 0
- name: package are installed
apt:
ansible.builtin.apt:
name:
- bind9
- dnstop
state: present
- include: authoritative.yml
- ansible.builtin.include: authoritative.yml
when: bind_authoritative_server | bool
- include: recursive.yml
- ansible.builtin.include: recursive.yml
when: bind_recursive_server | bool
- name: Create systemd service for Debian 8 (Jessie)
template:
ansible.builtin.template:
src: bind9.service.jessie.j2
dest: "{{ bind_systemd_service_path }}"
owner: root
@ -53,7 +54,7 @@
when: ansible_distribution_release == "jessie"
- name: "touch {{ bind_log_file }} if non chroot"
file:
ansible.builtin.file:
path: "{{ bind_log_file }}"
owner: bind
group: adm
@ -62,7 +63,7 @@
when: not (bind_chroot_set | bool)
- name: "touch {{ bind_query_file }} if non chroot"
file:
ansible.builtin.file:
path: "{{ bind_query_file }}"
owner: bind
group: adm
@ -71,7 +72,7 @@
when: not (bind_chroot_set | bool)
- name: send chroot-bind.sh in /root
copy:
ansible.builtin.copy:
src: chroot-bind.sh
dest: /root/chroot-bind.sh
mode: "0700"
@ -81,19 +82,20 @@
when: bind_chroot_set | bool
- name: exec chroot-bind.sh
command: "/root/chroot-bind.sh"
ansible.builtin.command:
cmd: "/root/chroot-bind.sh"
register: chrootbind_run
changed_when: False
when: bind_chroot_set | bool
- debug:
- ansible.builtin.debug:
var: chrootbind_run.stdout_lines
when:
- bind_chroot_set | bool
- chrootbind_run.stdout | length > 0
- name: Modify OPTIONS in /etc/default/bind9 for chroot
replace:
ansible.builtin.replace:
dest: /etc/default/bind9
regexp: '^OPTIONS=.*'
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
@ -101,7 +103,7 @@
when: bind_chroot_set | bool
- name: logrotate for bind
template:
ansible.builtin.template:
src: logrotate_bind.j2
dest: /etc/logrotate.d/bind9
owner: root
@ -110,4 +112,4 @@
force: yes
notify: restart bind
- include: munin.yml
- ansible.builtin.include: munin.yml

View file

@ -1,7 +1,7 @@
---
- name: