Use FQCN
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2777|524|2253|2462|:+1: Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/223//ansiblelint">Evolix » ansible-roles » unstable #223</a> Details
gitea/ansible-roles/pipeline/head This commit looks good Details

Fully Qualified Collection Name
This commit is contained in:
Jérémy Lecour 2023-03-20 23:33:19 +01:00 committed by Jérémy Lecour
parent 7a73df6bd7
commit ee21973371
392 changed files with 2517 additions and 2298 deletions

View File

@ -1,5 +1,5 @@
--- ---
- name: restart amavis - name: restart amavis
service: ansible.builtin.service:
name: amavis name: amavis
state: restarted state: restarted

View File

@ -1,6 +1,6 @@
--- ---
- name: install Amavis - name: install Amavis
apt: ansible.builtin.apt:
name: name:
- postgrey - postgrey
- amavisd-new - amavisd-new
@ -9,7 +9,7 @@
- amavis - amavis
- name: configure Amavis - name: configure Amavis
template: ansible.builtin.template:
src: amavis.conf.j2 src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults dest: /etc/amavis/conf.d/49-evolinux-defaults
mode: "0644" mode: "0644"

View File

@ -9,10 +9,10 @@
aws_region: ca-central-1 aws_region: ca-central-1
tasks: tasks:
- include_role: - ansible.builtin.include_role:
name: evolix/amazon-ec2 name: evolix/amazon-ec2
tasks_from: setup.yml tasks_from: setup.yml
- include_role: - ansible.builtin.include_role:
name: evolix/amazon-ec2 name: evolix/amazon-ec2
tasks_from: create-instance.yml tasks_from: create-instance.yml
@ -51,7 +51,7 @@
- mysql - mysql
post_tasks: post_tasks:
- include_role: - ansible.builtin.include_role:
name: evolix/etc-git name: evolix/etc-git
tasks_from: commit.yml tasks_from: commit.yml
vars: vars:

View File

@ -1,7 +1,7 @@
--- ---
- name: Launch new instance(s) - name: Launch new instance(s)
ec2: amazon.aws.ec2:
state: present state: present
aws_access_key: "{{ aws_access_key }}" aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}" aws_secret_key: "{{ aws_secret_key }}"
@ -16,19 +16,19 @@
register: ec2 register: ec2
- name: Add newly created instance(s) to inventory - name: Add newly created instance(s) to inventory
add_host: ansible.builtin.add_host:
hostname: "{{ item.public_dns_name }}" hostname: "{{ item.public_dns_name }}"
groupname: launched-instances groupname: launched-instances
ansible_user: admin ansible_user: admin
ansible_ssh_common_args: "-o StrictHostKeyChecking=no" ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
loop: "{{ ec2.instances }}" loop: "{{ ec2.instances }}"
- debug: - ansible.builtin.debug:
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}" msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
loop: "{{ ec2.instances }}" loop: "{{ ec2.instances }}"
- name: Wait for SSH to come up on all instances (give up after 2m) - name: Wait for SSH to come up on all instances (give up after 2m)
wait_for: ansible.builtin.wait_for:
state: started state: started
host: "{{ item.public_dns_name }}" host: "{{ item.public_dns_name }}"
port: 22 port: 22

View File

@ -1,5 +1,5 @@
--- ---
- name: Remove admin user - name: Remove admin user
user: ansible.builtin.user:
name: admin name: admin
state: absent state: absent

View File

@ -1,7 +1,7 @@
--- ---
- name: Create default security group - name: Create default security group
ec2_group: amazon.aws.ec2_group:
name: "{{ ec2_security_group.name }}" name: "{{ ec2_security_group.name }}"
state: present state: present
aws_access_key: "{{ aws_access_key }}" aws_access_key: "{{ aws_access_key }}"
@ -12,7 +12,7 @@
rules_egress: "{{ ec2_security_group.rules_egress }}" rules_egress: "{{ ec2_security_group.rules_egress }}"
- name: Create key pair - name: Create key pair
ec2_key: amazon.aws.ec2_key:
name: "{{ ec2_keyname }}" name: "{{ ec2_keyname }}"
state: present state: present
aws_access_key: "{{ aws_access_key }}" aws_access_key: "{{ aws_access_key }}"

View File

@ -1,15 +1,15 @@
--- ---
- name: restart apache - name: restart apache
service: ansible.builtin.service:
name: apache2 name: apache2
state: restarted state: restarted
- name: reload apache - name: reload apache
service: ansible.builtin.service:
name: apache2 name: apache2
state: reloaded state: reloaded
- name: restart munin-node - name: restart munin-node
service: ansible.builtin.service:
name: munin-node name: munin-node
state: restarted state: restarted

View File

@ -1,7 +1,7 @@
--- ---
- name: Init ipaddr_whitelist.conf file - name: Init ipaddr_whitelist.conf file
copy: ansible.builtin.copy:
src: ipaddr_whitelist.conf src: ipaddr_whitelist.conf
dest: /etc/apache2/ipaddr_whitelist.conf dest: /etc/apache2/ipaddr_whitelist.conf
owner: root owner: root
@ -12,10 +12,10 @@
- apache - apache
- name: Load IP whitelist task - name: Load IP whitelist task
include: ip_whitelist.yml ansible.builtin.import_tasks: ip_whitelist.yml
- name: include private IP whitelist for server-status - name: include private IP whitelist for server-status
lineinfile: ansible.builtin.lineinfile:
dest: /etc/apache2/mods-available/status.conf dest: /etc/apache2/mods-available/status.conf
line: " include /etc/apache2/ipaddr_whitelist.conf" line: " include /etc/apache2/ipaddr_whitelist.conf"
insertafter: 'SetHandler server-status' insertafter: 'SetHandler server-status'
@ -24,7 +24,7 @@
- apache - apache
- name: Copy private_htpasswd - name: Copy private_htpasswd
copy: ansible.builtin.copy:
src: private_htpasswd src: private_htpasswd
dest: /etc/apache2/private_htpasswd dest: /etc/apache2/private_htpasswd
owner: root owner: root
@ -36,7 +36,7 @@
- apache - apache
- name: add user:pwd to private htpasswd - name: add user:pwd to private htpasswd
lineinfile: ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd dest: /etc/apache2/private_htpasswd
line: "{{ item }}" line: "{{ item }}"
state: present state: present
@ -46,7 +46,7 @@
- apache - apache
- name: remove user:pwd from private htpasswd - name: remove user:pwd from private htpasswd
lineinfile: ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd dest: /etc/apache2/private_htpasswd
line: "{{ item }}" line: "{{ item }}"
state: absent state: absent

View File

@ -1,7 +1,7 @@
--- ---
- name: add IP addresses to private IP whitelist - name: add IP addresses to private IP whitelist
lineinfile: ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}" line: "Require ip {{ item }}"
state: present state: present
@ -12,7 +12,7 @@
- ips - ips
- name: remove IP addresses from private IP whitelist - name: remove IP addresses from private IP whitelist
lineinfile: ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}" line: "Require ip {{ item }}"
state: absent state: absent

View File

@ -1,14 +1,14 @@
--- ---
- name: log2mail is installed - name: log2mail is installed
apt: ansible.builtin.apt:
name: log2mail name: log2mail
state: present state: present
tags: tags:
- apache - apache
- name: Add log2mail config for Apache segfaults - name: Add log2mail config for Apache segfaults
template: ansible.builtin.template:
src: log2mail-apache.j2 src: log2mail-apache.j2
dest: "/etc/log2mail/config/apache" dest: "/etc/log2mail/config/apache"
owner: log2mail owner: log2mail

View File

@ -1,7 +1,7 @@
--- ---
- name: packages are installed (Debian 9 or later) - name: packages are installed (Debian 9 or later)
apt: ansible.builtin.apt:
name: name:
- apache2 - apache2
- libapache2-mod-evasive - libapache2-mod-evasive
@ -14,7 +14,7 @@
when: ansible_distribution_major_version is version('9', '>=') when: ansible_distribution_major_version is version('9', '>=')
- name: itk package is installed if required (Debian 9 or later) - name: itk package is installed if required (Debian 9 or later)
apt: ansible.builtin.apt:
name: name:
- libapache2-mpm-itk - libapache2-mpm-itk
state: present state: present
@ -26,7 +26,7 @@
- apache_mpm == "itk" - apache_mpm == "itk"
- name: packages are installed (jessie) - name: packages are installed (jessie)
apt: ansible.builtin.apt:
name: name:
- apache2-mpm-itk - apache2-mpm-itk
- libapache2-mod-evasive - libapache2-mod-evasive
@ -39,7 +39,7 @@
when: ansible_distribution_release == "jessie" when: ansible_distribution_release == "jessie"
- name: basic modules are enabled - name: basic modules are enabled
apache2_module: community.general.apache2_module:
name: '{{ item }}' name: '{{ item }}'
state: present state: present
loop: loop:
@ -55,7 +55,7 @@
- apache - apache
- name: basic modules are enabled - name: basic modules are enabled
apache2_module: community.general.apache2_module:
name: '{{ item }}' name: '{{ item }}'
state: present state: present
loop: loop:
@ -67,7 +67,7 @@
- name: Copy Apache defaults config file - name: Copy Apache defaults config file
copy: ansible.builtin.copy:
src: evolinux-defaults.conf src: evolinux-defaults.conf
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf" dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
owner: root owner: root
@ -79,7 +79,7 @@
- apache - apache
- name: Copy Apache custom config file - name: Copy Apache custom config file
copy: ansible.builtin.copy:
src: evolinux-custom.conf src: evolinux-custom.conf
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf" dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
owner: root owner: root
@ -91,7 +91,7 @@
- apache - apache
- name: disable status.conf - name: disable status.conf
file: ansible.builtin.file:
dest: /etc/apache2/mods-enabled/status.conf dest: /etc/apache2/mods-enabled/status.conf
state: absent state: absent
notify: reload apache notify: reload apache
@ -99,7 +99,8 @@
- apache - apache
- name: Ensure Apache config files are enabled - name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}" ansible.builtin.command:
cmd: "a2enconf {{ item }}"
register: command_result register: command_result
changed_when: "'Enabling' in command_result.stderr" changed_when: "'Enabling' in command_result.stderr"
loop: loop:
@ -109,12 +110,12 @@
tags: tags:
- apache - apache
- include: auth.yml - ansible.builtin.include: auth.yml
tags: tags:
- apache - apache
- name: default vhost is installed - name: default vhost is installed
template: ansible.builtin.template:
src: evolinux-default.conf.j2 src: evolinux-default.conf.j2
dest: /etc/apache2/sites-available/000-evolinux-default.conf dest: /etc/apache2/sites-available/000-evolinux-default.conf
mode: "0640" mode: "0640"
@ -124,7 +125,7 @@
- apache - apache
- name: default vhost is enabled - name: default vhost is enabled
file: ansible.builtin.file:
src: /etc/apache2/sites-available/000-evolinux-default.conf src: /etc/apache2/sites-available/000-evolinux-default.conf
dest: /etc/apache2/sites-enabled/000-default.conf dest: /etc/apache2/sites-enabled/000-default.conf
state: link state: link
@ -134,12 +135,13 @@
tags: tags:
- apache - apache
- include: server_status.yml - ansible.builtin.include: server_status.yml
tags: tags:
- apache - apache
- name: is umask already present? - name: is umask already present?
command: "grep -E '^umask ' /etc/apache2/envvars" ansible.builtin.command:
cmd: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False failed_when: False
changed_when: False changed_when: False
register: envvar_grep_umask register: envvar_grep_umask
@ -148,7 +150,7 @@
- apache - apache
- name: Add a mark in envvars for umask - name: Add a mark in envvars for umask
blockinfile: ansible.builtin.blockinfile:
dest: /etc/apache2/envvars dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK" marker: "## {mark} ANSIBLE MANAGED BLOCK"
block: | block: |
@ -159,13 +161,13 @@
tags: tags:
- apache - apache
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
tags: tags:
- apache - apache
- name: /usr/share/scripts exists - name: /usr/share/scripts exists
file: ansible.builtin.file:
dest: /usr/share/scripts dest: /usr/share/scripts
mode: "0700" mode: "0700"
owner: root owner: root
@ -175,7 +177,7 @@
- apache - apache
- name: "Install save_apache_status.sh" - name: "Install save_apache_status.sh"
copy: ansible.builtin.copy:
src: save_apache_status.sh src: save_apache_status.sh
dest: /usr/share/scripts/save_apache_status.sh dest: /usr/share/scripts/save_apache_status.sh
mode: "0755" mode: "0755"
@ -184,7 +186,7 @@
- apache - apache
- name: "logrotate: {{ apache_logrotate_frequency }}" - name: "logrotate: {{ apache_logrotate_frequency }}"
replace: ansible.builtin.replace:
dest: /etc/logrotate.d/apache2 dest: /etc/logrotate.d/apache2
regexp: "(daily|weekly|monthly)" regexp: "(daily|weekly|monthly)"
replace: "{{ apache_logrotate_frequency }}" replace: "{{ apache_logrotate_frequency }}"
@ -192,19 +194,19 @@
- apache - apache
- name: "logrotate: rotate {{ apache_logrotate_rotate }}" - name: "logrotate: rotate {{ apache_logrotate_rotate }}"
replace: ansible.builtin.replace:
dest: /etc/logrotate.d/apache2 dest: /etc/logrotate.d/apache2
regexp: '^(\s+rotate) \d+$' regexp: '^(\s+rotate) \d+$'
replace: '\1 {{ apache_logrotate_rotate }}' replace: '\1 {{ apache_logrotate_rotate }}'
tags: tags:
- apache - apache
- include: log2mail.yml - ansible.builtin.include: log2mail.yml
when: apache_log2mail_include when: apache_log2mail_include
tags: tags:
- apache - apache
- include: munin.yml - ansible.builtin.include: munin.yml
when: apache_munin_include | bool when: apache_munin_include | bool
tags: tags:
- apache - apache

View File

@ -1,7 +1,7 @@
--- ---
- name: "Install munin-node and core plugins packages" - name: "Install munin-node and core plugins packages"
apt: ansible.builtin.apt:
name: name:
- munin-node - munin-node
- munin-plugins-core - munin-plugins-core
@ -11,7 +11,7 @@
- munin - munin
- name: "Enable Munin plugins" - name: "Enable Munin plugins"
file: ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}" src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}"
state: link state: link
@ -25,7 +25,7 @@
- munin - munin
- name: "Install fcgi packages for Munin graphs" - name: "Install fcgi packages for Munin graphs"
apt: ansible.builtin.apt:
name: name:
- libapache2-mod-fcgid - libapache2-mod-fcgid
- libcgi-fast-perl - libcgi-fast-perl
@ -36,7 +36,8 @@
- munin - munin
- name: "Enable libapache2-mod-fcgid" - name: "Enable libapache2-mod-fcgid"
command: a2enmod fcgid ansible.builtin.command:
cmd: a2enmod fcgid
register: cmd_enable_fcgid register: cmd_enable_fcgid
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout" changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
notify: restart apache notify: restart apache
@ -45,7 +46,7 @@
- munin - munin
- name: "Apache has access to /var/log/munin/" - name: "Apache has access to /var/log/munin/"
file: ansible.builtin.file:
path: /var/log/munin/ path: /var/log/munin/
group: www-data group: www-data
tags: tags:

View File

@ -1,7 +1,7 @@
--- ---
- name: server status dirname exists - name: server status dirname exists
file: ansible.builtin.file:
dest: "{{ apache_serverstatus_suffix_file | dirname }}" dest: "{{ apache_serverstatus_suffix_file | dirname }}"
mode: "0700" mode: "0700"
owner: root owner: root
@ -9,7 +9,7 @@
state: directory state: directory
- name: set apache serverstatus suffix if provided - name: set apache serverstatus suffix if provided
copy: ansible.builtin.copy:
dest: "{{ apache_serverstatus_suffix_file }}" dest: "{{ apache_serverstatus_suffix_file }}"
# The last character "\u000A" is a line feed (LF), it's better to keep it # The last character "\u000A" is a line feed (LF), it's better to keep it
content: "{{ apache_serverstatus_suffix }}\u000A" content: "{{ apache_serverstatus_suffix }}\u000A"
@ -17,51 +17,53 @@
when: apache_serverstatus_suffix | length > 0 when: apache_serverstatus_suffix | length > 0
- name: generate random string for server-status suffix - name: generate random string for server-status suffix
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}" ansible.builtin.shell:
cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
args: args:
creates: "{{ apache_serverstatus_suffix_file }}" creates: "{{ apache_serverstatus_suffix_file }}"
- name: read apache server status suffix - name: read apache server status suffix
command: "tail -n 1 {{ apache_serverstatus_suffix_file }}" ansible.builtin.command:
cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
changed_when: False changed_when: False
check_mode: no check_mode: no
register: new_apache_serverstatus_suffix register: new_apache_serverstatus_suffix
- name: overwrite apache_serverstatus_suffix - name: overwrite apache_serverstatus_suffix
set_fact: ansible.builtin.set_fact:
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}" apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
- debug: - ansible.builtin.debug:
var: apache_serverstatus_suffix var: apache_serverstatus_suffix
verbosity: 1 verbosity: 1
- name: replace server-status suffix in default site index - name: replace server-status suffix in default site index
replace: ansible.builtin.replace:
dest: /var/www/index.html dest: /var/www/index.html
regexp: '__SERVERSTATUS_SUFFIX__' regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ apache_serverstatus_suffix }}" replace: "{{ apache_serverstatus_suffix }}"
- name: add server-status suffix in default site index if missing - name: add server-status suffix in default site index if missing
replace: ansible.builtin.replace:
dest: /var/www/index.html dest: /var/www/index.html
regexp: '"/server-status-?"' regexp: '"/server-status-?"'
replace: '"/server-status-{{ apache_serverstatus_suffix }}"' replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
- name: add server-status suffix in default VHost - name: add server-status suffix in default VHost
replace: ansible.builtin.replace:
dest: /etc/apache2/sites-available/000-evolinux-default.conf dest: /etc/apache2/sites-available/000-evolinux-default.conf
regexp: '<Location /server-status-?>' regexp: '<Location /server-status-?>'
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>' replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
notify: reload apache notify: reload apache
- name: Munin configuration has a section for apache - name: Munin configuration has a section for apache
lineinfile: ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node dest: /etc/munin/plugin-conf.d/munin-node
line: "[apache_*]" line: "[apache_*]"
create: no create: no
- name: apache-status URL is configured for Munin - name: apache-status URL is configured for Munin
lineinfile: ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node dest: /etc/munin/plugin-conf.d/munin-node
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto" line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
regexp: 'env.url http://[^\\/]+/server-status' regexp: 'env.url http://[^\\/]+/server-status'
@ -70,7 +72,7 @@
notify: restart munin-node notify: restart munin-node
- name: add mailgraph URL in index.html - name: add mailgraph URL in index.html
lineinfile: ansible.builtin.lineinfile:
dest: /var/www/index.html dest: /var/www/index.html
state: present state: present
line: ' <li><a href="/mailgraph">Stats Mail</a></li>' line: ' <li><a href="/mailgraph">Stats Mail</a></li>'

View File

@ -1,7 +1,7 @@
--- ---
- name: Backports deb822 sources list is installed - name: Backports deb822 sources list is installed
template: ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.sources.j2' src: '{{ ansible_distribution_release }}_backports.sources.j2'
dest: /etc/apt/sources.list.d/backports.sources dest: /etc/apt/sources.list.d/backports.sources
force: yes force: yes
@ -11,7 +11,7 @@
- apt - apt
- name: Backports configuration - name: Backports configuration
copy: ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences' src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults dest: /etc/apt/preferences.d/0-backports-defaults
force: yes force: yes
@ -21,7 +21,7 @@
- apt - apt
- name: Apt update - name: Apt update
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
when: apt_backports_sources is changed or apt_backports_config is changed when: apt_backports_sources is changed or apt_backports_config is changed
tags: tags:

View File

@ -1,6 +1,6 @@
--- ---
- name: No backports config in default sources.list - name: No backports config in default sources.list
lineinfile: ansible.builtin.lineinfile:
dest: /etc/apt/sources.list dest: /etc/apt/sources.list
regexp: "backports" regexp: "backports"
state: absent state: absent
@ -8,7 +8,7 @@
- apt - apt
- name: Backports sources list is installed - name: Backports sources list is installed
template: ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.list.j2' src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list dest: /etc/apt/sources.list.d/backports.list
force: yes force: yes
@ -18,7 +18,7 @@
- apt - apt
- name: Backports configuration - name: Backports configuration
copy: ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences' src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults dest: /etc/apt/preferences.d/0-backports-defaults
force: yes force: yes
@ -28,7 +28,7 @@
- apt - apt
- name: Archived backport are accepted (jessie) - name: Archived backport are accepted (jessie)
lineinfile: ansible.builtin.lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until' dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;' line: 'Acquire::Check-Valid-Until no;'
create: yes create: yes
@ -38,7 +38,7 @@
when: ansible_distribution_release == "jessie" when: ansible_distribution_release == "jessie"
- name: Apt update - name: Apt update
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
tags: tags:
- apt - apt

View File

@ -3,11 +3,11 @@
# Backward compatibility task file # Backward compatibility task file
- name: Install backports repositories (Debian <12) - name: Install backports repositories (Debian <12)
import_tasks: backports.oneline.yml ansible.builtin.import_tasks: backports.oneline.yml
when: when:
- ansible_distribution_major_version is version('12', '<') - ansible_distribution_major_version is version('12', '<')
- name: Install backports repositories (Debian >=12) - name: Install backports repositories (Debian >=12)
import_tasks: backports.deb822.yml ansible.builtin.import_tasks: backports.deb822.yml
when: when:
- ansible_distribution_major_version is version('12', '>=') - ansible_distribution_major_version is version('12', '>=')

View File

@ -1,7 +1,7 @@
--- ---
- name: Change basics repositories - name: Change basics repositories
template: ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.sources.j2" src: "{{ ansible_distribution_release }}_basics.sources.j2"
dest: /etc/apt/sources.list.d/system.sources dest: /etc/apt/sources.list.d/system.sources
mode: "0644" mode: "0644"
@ -11,7 +11,7 @@
- apt - apt
- name: Change security repositories - name: Change security repositories
template: ansible.builtin.template:
src: "{{ ansible_distribution_release }}_security.sources.j2" src: "{{ ansible_distribution_release }}_security.sources.j2"
dest: /etc/apt/sources.list.d/security.sources dest: /etc/apt/sources.list.d/security.sources
mode: "0644" mode: "0644"
@ -27,7 +27,8 @@
register: list_files register: list_files
- name: Disable one-line-formatted sources - name: Disable one-line-formatted sources
command: "mv --verbose {{ item.path }} {{ item.path }}.bak" ansible.builtin.command:
cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak"
environment: environment:
LC_ALL: C LC_ALL: C
loop: "{{ list_files.files }}" loop: "{{ list_files.files }}"
@ -37,7 +38,7 @@
- apt - apt
- name: Apt update - name: Apt update
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
tags: tags:
- apt - apt

View File

@ -1,7 +1,7 @@
--- ---
- name: Change basics repositories - name: Change basics repositories
template: ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.list.j2" src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list dest: /etc/apt/sources.list
mode: "0644" mode: "0644"
@ -11,7 +11,7 @@
- apt - apt
- name: Apt update - name: Apt update
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
tags: tags:
- apt - apt

View File

@ -3,11 +3,11 @@
# Backward compatibility task file # Backward compatibility task file
- name: Install basics repositories (Debian <12) - name: Install basics repositories (Debian <12)
import_tasks: basics.oneline.yml ansible.builtin.import_tasks: basics.oneline.yml
when: when:
- ansible_distribution_major_version is version('12', '<') - ansible_distribution_major_version is version('12', '<')
- name: Install basics repositories (Debian >=12) - name: Install basics repositories (Debian >=12)
import_tasks: basics.deb822.yml ansible.builtin.import_tasks: basics.deb822.yml
when: when:
- ansible_distribution_major_version is version('12', '>=') - ansible_distribution_major_version is version('12', '>=')

View File

@ -1,7 +1,7 @@
--- ---
- name: Evolinux config for APT - name: Evolinux config for APT
lineinfile: ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item.line }}" line: "{{ item.line }}"
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
@ -17,7 +17,7 @@
when: apt_evolinux_config | bool when: apt_evolinux_config | bool
- name: DPkg invoke hooks - name: DPkg invoke hooks
lineinfile: ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item }}" line: "{{ item }}"
create: yes create: yes
@ -33,7 +33,7 @@
when: apt_hooks | bool when: apt_hooks | bool
- name: Remove Aptitude - name: Remove Aptitude
apt: ansible.builtin.apt:
name: aptitude name: aptitude
state: absent state: absent
tags: tags:

View File

@ -1,14 +1,14 @@
--- ---
- name: Look for legacy apt keyring - name: Look for legacy apt keyring
stat: ansible.builtin.stat:
path: /etc/apt/trusted.gpg path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring register: _trusted_gpg_keyring
tags: tags:
- apt - apt
- name: Evolix embedded GPG key is absent - name: Evolix embedded GPG key is absent
apt_key: ansible.builtin.apt_key:
id: "B8612B5D" id: "B8612B5D"
keyring: /etc/apt/trusted.gpg keyring: /etc/apt/trusted.gpg
state: absent state: absent
@ -17,7 +17,7 @@
when: _trusted_gpg_keyring.stat.exists when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key - name: Add Evolix GPG key
copy: ansible.builtin.copy:
src: pub_evolix.asc src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc" dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes force: yes
@ -28,7 +28,7 @@
- apt - apt
- name: Evolix public list is installed - name: Evolix public list is installed
template: ansible.builtin.template:
src: evolix_public.sources.j2 src: evolix_public.sources.j2
dest: /etc/apt/sources.list.d/evolix_public.sources dest: /etc/apt/sources.list.d/evolix_public.sources
force: yes force: yes
@ -38,7 +38,7 @@
- apt - apt
- name: Apt update - name: Apt update
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
tags: tags:
- apt - apt

View File

@ -1,14 +1,14 @@
--- ---
- name: Look for legacy apt keyring - name: Look for legacy apt keyring
stat: ansible.builtin.stat:
path: /etc/apt/trusted.gpg path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring register: _trusted_gpg_keyring
tags: tags:
- apt - apt
- name: Evolix embedded GPG key is absent - name: Evolix embedded GPG key is absent
apt_key: ansible.builtin.apt_key:
id: "B8612B5D" id: "B8612B5D"
keyring: /etc/apt/trusted.gpg keyring: /etc/apt/trusted.gpg
state: absent state: absent
@ -17,7 +17,7 @@
when: _trusted_gpg_keyring.stat.exists when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key - name: Add Evolix GPG key
copy: ansible.builtin.copy:
src: pub_evolix.asc src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc" dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes force: yes
@ -28,7 +28,7 @@
- apt - apt
- name: Evolix public list is installed - name: Evolix public list is installed
template: ansible.builtin.template:
src: evolix_public.list.j2 src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list dest: /etc/apt/sources.list.d/evolix_public.list
force: yes force: yes
@ -38,7 +38,7 @@
- apt - apt
- name: Apt update - name: Apt update
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
tags: tags:
- apt - apt

View File

@ -3,11 +3,11 @@
# Backward compatibility task file # Backward compatibility task file
- name: Install Evolix Public repositories (Debian <12) - name: Install Evolix Public repositories (Debian <12)
import_tasks: evolix_public.oneline.yml ansible.builtin.import_tasks: evolix_public.oneline.yml
when: when:
- ansible_distribution_major_version is version('12', '<') - ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12) - name: Install Evolix Public repositories (Debian >=12)
import_tasks: evolix_public.deb822.yml ansible.builtin.import_tasks: evolix_public.deb822.yml
when: when:
- ansible_distribution_major_version is version('12', '>=') - ansible_distribution_major_version is version('12', '>=')

View File

@ -1,11 +1,11 @@
--- ---
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
- name: "hold packages (apt)" - name: "hold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})" ansible.builtin.shell:
args: cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
executable: /bin/bash executable: /bin/bash
check_mode: no check_mode: no
register: apt_mark register: apt_mark
@ -18,7 +18,7 @@
- apt - apt
- name: "/etc/evolinux is present" - name: "/etc/evolinux is present"
file: ansible.builtin.file:
dest: /etc/evolinux dest: /etc/evolinux
mode: "0700" mode: "0700"
state: directory state: directory
@ -26,7 +26,7 @@
- apt - apt
- name: "hold packages (config)" - name: "hold packages (config)"
lineinfile: ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}" line: "{{ item }}"
create: True create: True
@ -36,8 +36,8 @@
- apt - apt
- name: "unhold packages (apt)" - name: "unhold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})" ansible.builtin.shell:
args: cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
executable: /bin/bash executable: /bin/bash
check_mode: no check_mode: no
register: apt_mark register: apt_mark
@ -48,7 +48,7 @@
- apt - apt
- name: "unhold packages (config)" - name: "unhold packages (config)"
lineinfile: ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}" line: "{{ item }}"
create: True create: True
@ -58,7 +58,7 @@
- apt - apt
- name: /usr/share/scripts exists - name: /usr/share/scripts exists
file: ansible.builtin.file:
dest: /usr/share/scripts dest: /usr/share/scripts
mode: "0700" mode: "0700"
owner: root owner: root
@ -68,7 +68,7 @@
- apt - apt
- name: Check scripts is installed - name: Check scripts is installed
copy: ansible.builtin.copy:
src: check_held_packages.sh src: check_held_packages.sh
dest: /usr/share/scripts/check_held_packages.sh dest: /usr/share/scripts/check_held_packages.sh
force: yes force: yes
@ -77,7 +77,8 @@
- apt - apt
- name: Check if Cron is installed - name: Check if Cron is installed
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'" ansible.builtin.shell:
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
register: is_cron register: is_cron
changed_when: False changed_when: False
failed_when: False failed_when: False
@ -86,7 +87,7 @@
- apt - apt
- name: Check for held packages (script) - name: Check for held packages (script)
cron: ansible.builtin.cron:
cron_file: apt-hold-packages cron_file: apt-hold-packages
name: check_held_packages name: check_held_packages
job: "/usr/share/scripts/check_held_packages.sh" job: "/usr/share/scripts/check_held_packages.sh"

View File

@ -1,7 +1,7 @@
--- ---
- name: "Compatibility check" - name: "Compatibility check"
assert: ansible.builtin.assert:
that: that:
- ansible_distribution == "Debian" - ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=') - ansible_distribution_major_version is version('8', '>=')
@ -10,7 +10,7 @@
- apt - apt
- name: "apt-transport-https is installed for https repositories (before Buster)" - name: "apt-transport-https is installed for https repositories (before Buster)"
apt: ansible.builtin.apt:
name: name:
- apt-transport-https - apt-transport-https
tags: tags:
@ -18,20 +18,20 @@
when: ansible_distribution_major_version is version('10', '<') when: ansible_distribution_major_version is version('10', '<')
- name: "certificates are installed for https repositories" - name: "certificates are installed for https repositories"
apt: ansible.builtin.apt:
name: name:
- ca-certificates - ca-certificates
tags: tags:
- apt - apt
- name: Custom configuration - name: Custom configuration
import_tasks: config.yml ansible.builtin.import_tasks: config.yml
when: apt_config | bool when: apt_config | bool
tags: tags:
- apt - apt
- name: Install basics repositories (Debian <12) - name: Install basics repositories (Debian <12)
import_tasks: basics.oneline.yml ansible.builtin.import_tasks: basics.oneline.yml
tags: tags:
- apt - apt
when: when:
@ -39,7 +39,7 @@
- ansible_distribution_major_version is version('12', '<') - ansible_distribution_major_version is version('12', '<')
- name: Install basics repositories (Debian >=12) - name: Install basics repositories (Debian >=12)
import_tasks: basics.deb822.yml ansible.builtin.import_tasks: basics.deb822.yml
tags: tags:
- apt - apt
when: when:
@ -47,7 +47,7 @@
- ansible_distribution_major_version is version('12', '>=') - ansible_distribution_major_version is version('12', '>=')
- name: Install backports repositories (Debian <12) - name: Install backports repositories (Debian <12)
import_tasks: backports.oneline.yml ansible.builtin.import_tasks: backports.oneline.yml
tags: tags:
- apt - apt
when: when:
@ -57,7 +57,7 @@
# With Debian 12+ and the deb822 format of source files # With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports` # backports are always installed but enabled according to `apt_install_backports`
- name: Install backports repositories (Debian >=12) - name: Install backports repositories (Debian >=12)
import_tasks: backports.deb822.yml ansible.builtin.import_tasks: backports.deb822.yml
tags: tags:
- apt - apt
when: when:
@ -65,7 +65,7 @@
- name: Install Evolix Public repositories (Debian <12) - name: Install Evolix Public repositories (Debian <12)
import_tasks: evolix_public.oneline.yml ansible.builtin.import_tasks: evolix_public.oneline.yml
tags: tags:
- apt - apt
when: when:
@ -73,7 +73,7 @@
- ansible_distribution_major_version is version('12', '<') - ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12) - name: Install Evolix Public repositories (Debian >=12)
import_tasks: evolix_public.deb822.yml ansible.builtin.import_tasks: evolix_public.deb822.yml
tags: tags:
- apt - apt
when: when:
@ -81,7 +81,7 @@
- ansible_distribution_major_version is version('12', '>=') - ansible_distribution_major_version is version('12', '>=')
- name: Clean GANDI sources - name: Clean GANDI sources
file: ansible.builtin.file:
path: '{{ item }}' path: '{{ item }}'
state: absent state: absent
loop: loop:
@ -97,20 +97,20 @@
- name: Install check for packages marked hold - name: Install check for packages marked hold
import_tasks: hold_packages.yml ansible.builtin.import_tasks: hold_packages.yml
when: apt_install_hold_packages | bool when: apt_install_hold_packages | bool
tags: tags:
- apt - apt
- name: Updating APT cache - name: Updating APT cache
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
changed_when: False changed_when: False
tags: tags:
- apt - apt
- name: Upgrading system - name: Upgrading system
apt: ansible.builtin.apt:
upgrade: dist upgrade: dist
when: apt_upgrade | bool when: apt_upgrade | bool
tags: tags:

View File

@ -1,9 +1,9 @@
--- ---
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
- name: /usr/share/scripts exists - name: /usr/share/scripts exists
file: ansible.builtin.file:
dest: /usr/share/scripts dest: /usr/share/scripts
mode: "0700" mode: "0700"
owner: root owner: root
@ -13,7 +13,7 @@
- apt - apt
- name: Migration scripts are installed - name: Migration scripts are installed
copy: ansible.builtin.copy:
src: "{{ item }}" src: "{{ item }}"
dest: "/usr/share/scripts/{{ item }}" dest: "/usr/share/scripts/{{ item }}"
force: yes force: yes
@ -25,7 +25,8 @@
- apt - apt
- name: Exec migration script - name: Exec migration script
command: /usr/share/scripts/deb822-migration.sh ansible.builtin.command:
cmd: /usr/share/scripts/deb822-migration.sh
ignore_errors: yes ignore_errors: yes
tags: tags:
- apt - apt

View File

@ -1,18 +1,18 @@
--- ---
- name: New APT keyrings directory is present - name: New APT keyrings directory is present
file: ansible.builtin.file:
path: /etc/apt/keyrings path: /etc/apt/keyrings
state: directory state: directory
mode: "0755" mode: "0755"
owner: root owner: root
group: root group: root
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
- name: /usr/share/scripts exists - name: /usr/share/scripts exists
file: ansible.builtin.file:
dest: /usr/share/scripts dest: /usr/share/scripts
mode: "0700" mode: "0700"
owner: root owner: root
@ -22,7 +22,7 @@
- apt - apt
- name: migration script is present - name: migration script is present
copy: ansible.builtin.copy:
src: move-apt-keyrings.sh src: move-apt-keyrings.sh
dest: /usr/share/scripts/move-apt-keyrings.sh dest: /usr/share/scripts/move-apt-keyrings.sh
mode: "0755" mode: "0755"
@ -30,7 +30,8 @@
group: root group: root
- name: Move repository signing key - name: Move repository signing key
command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" ansible.builtin.command:
cmd: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
loop: loop:
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" } - { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" } - { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
@ -48,5 +49,5 @@
register: _cmd register: _cmd
- name: Debug command - name: Debug command
debug: ansible.builtin.debug:
var: _cmd var: _cmd

View File

@ -1,21 +1,21 @@
--- ---
- name: reload systemd - name: reload systemd
systemd: ansible.builtin.systemd:
daemon-reload: yes daemon-reload: yes
- name: restart apparmor - name: restart apparmor
systemd: ansible.builtin.systemd:
name: apparmor name: apparmor
state: restarted state: restarted
- name: restart bind - name: restart bind
systemd: ansible.builtin.systemd:
name: bind9 name: bind9
state: restarted state: restarted
- name: restart munin-node - name: restart munin-node
systemd: ansible.builtin.systemd:
name: munin-node name: munin-node
state: restarted state: restarted

View File

@ -1,7 +1,7 @@
--- ---
- name: Set bind configuration for authoritative server - name: Set bind configuration for authoritative server
template: ansible.builtin.template:
src: named.conf.options_authoritative.j2 src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options dest: /etc/bind/named.conf.options
owner: bind owner: bind

View File

@ -1,6 +1,6 @@
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths. # Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
- name: set chroot variables - name: set chroot variables
set_fact: ansible.builtin.set_fact:
bind_log_file: /var/log/bind.log bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind bind_cache_dir: /var/cache/bind
@ -9,14 +9,15 @@
when: bind_chroot_set | bool when: bind_chroot_set | bool
- name: Check AppArmor - name: Check AppArmor
shell: systemctl is-active apparmor || systemctl is-enabled apparmor ansible.builtin.shell:
cmd: systemctl is-active apparmor || systemctl is-enabled apparmor
failed_when: False failed_when: False
changed_when: False changed_when: False
check_mode: no check_mode: no
register: check_apparmor register: check_apparmor
- name: configure apparmor - name: configure apparmor
template: ansible.builtin.template:
src: apparmor.usr.sbin.named.j2 src: apparmor.usr.sbin.named.j2
dest: /etc/apparmor.d/usr.sbin.named dest: /etc/apparmor.d/usr.sbin.named
owner: root owner: root
@ -27,20 +28,20 @@
when: check_apparmor.rc == 0 when: check_apparmor.rc == 0
- name: package are installed - name: package are installed
apt: ansible.builtin.apt:
name: name:
- bind9 - bind9
- dnstop - dnstop
state: present state: present
- include: authoritative.yml - ansible.builtin.include: authoritative.yml
when: bind_authoritative_server | bool when: bind_authoritative_server | bool
- include: recursive.yml - ansible.builtin.include: recursive.yml
when: bind_recursive_server | bool when: bind_recursive_server | bool
- name: Create systemd service for Debian 8 (Jessie) - name: Create systemd service for Debian 8 (Jessie)
template: ansible.builtin.template:
src: bind9.service.jessie.j2 src: bind9.service.jessie.j2
dest: "{{ bind_systemd_service_path }}" dest: "{{ bind_systemd_service_path }}"
owner: root owner: root
@ -53,7 +54,7 @@
when: ansible_distribution_release == "jessie" when: ansible_distribution_release == "jessie"
- name: "touch {{ bind_log_file }} if non chroot" - name: "touch {{ bind_log_file }} if non chroot"
file: ansible.builtin.file:
path: "{{ bind_log_file }}" path: "{{ bind_log_file }}"
owner: bind owner: bind
group: adm group: adm
@ -62,7 +63,7 @@
when: not (bind_chroot_set | bool) when: not (bind_chroot_set | bool)
- name: "touch {{ bind_query_file }} if non chroot" - name: "touch {{ bind_query_file }} if non chroot"
file: ansible.builtin.file:
path: "{{ bind_query_file }}" path: "{{ bind_query_file }}"
owner: bind owner: bind
group: adm group: adm
@ -71,7 +72,7 @@
when: not (bind_chroot_set | bool) when: not (bind_chroot_set | bool)
- name: send chroot-bind.sh in /root - name: send chroot-bind.sh in /root
copy: ansible.builtin.copy:
src: chroot-bind.sh src: chroot-bind.sh
dest: /root/chroot-bind.sh dest: /root/chroot-bind.sh
mode: "0700" mode: "0700"
@ -81,19 +82,20 @@
when: bind_chroot_set | bool when: bind_chroot_set | bool
- name: exec chroot-bind.sh - name: exec chroot-bind.sh
command: "/root/chroot-bind.sh" ansible.builtin.command:
cmd: "/root/chroot-bind.sh"
register: chrootbind_run register: chrootbind_run
changed_when: False changed_when: False
when: bind_chroot_set | bool when: bind_chroot_set | bool
- debug: - ansible.builtin.debug:
var: chrootbind_run.stdout_lines var: chrootbind_run.stdout_lines
when: when:
- bind_chroot_set | bool - bind_chroot_set | bool
- chrootbind_run.stdout | length > 0 - chrootbind_run.stdout | length > 0
- name: Modify OPTIONS in /etc/default/bind9 for chroot - name: Modify OPTIONS in /etc/default/bind9 for chroot
replace: ansible.builtin.replace:
dest: /etc/default/bind9 dest: /etc/default/bind9
regexp: '^OPTIONS=.*' regexp: '^OPTIONS=.*'
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
@ -101,7 +103,7 @@
when: bind_chroot_set | bool when: bind_chroot_set | bool
- name: logrotate for bind - name: logrotate for bind
template: ansible.builtin.template:
src: logrotate_bind.j2 src: logrotate_bind.j2
dest: /etc/logrotate.d/bind9 dest: /etc/logrotate.d/bind9
owner: root owner: root
@ -110,4 +112,4 @@
force: yes force: yes
notify: restart bind notify: restart bind
- include: munin.yml - ansible.builtin.include: munin.yml

View File

@ -1,7 +1,7 @@
--- ---
- name: is Munin present ? - name: is Munin present ?
stat: ansible.builtin.stat:
path: /etc/munin/plugin-conf.d/munin-node path: /etc/munin/plugin-conf.d/munin-node
check_mode: no check_mode: no
register: munin_node_plugins_config register: munin_node_plugins_config
@ -10,7 +10,7 @@
- munin - munin
- name: Enable munin plugins for authoritative server - name: Enable munin plugins for authoritative server
file: ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}" src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}"
state: link state: link
@ -18,31 +18,31 @@
- bind9 - bind9
- bind9_rndc - bind9_rndc
notify: restart munin-node notify: restart munin-node
when:
- bind_authoritative_server | bool
- munin_node_plugins_config.stat.exists
tags: tags:
- bind - bind
- munin - munin
when:
- bind_authoritative_server | bool
- munin_node_plugins_config.stat.exists
- name: Enable munin plugins for recursive server - name: Enable munin plugins for recursive server
file: ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}" src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}"
state: link state: link
loop: loop:
- bind9 - bind9
notify: restart munin-node notify: restart munin-node
tags:
- bind
- munin
when: when:
- bind_recursive_server | bool - bind_recursive_server | bool
- bind_query_file_enabled | bool - bind_query_file_enabled | bool
- munin_node_plugins_config.stat.exists - munin_node_plugins_config.stat.exists
tags:
- bind
- munin
- name: Add munin plugin configuration - name: Add munin plugin configuration
template: ansible.builtin.template:
src: munin-env_bind9.j2 src: munin-env_bind9.j2
dest: /etc/munin/plugin-conf.d/bind9 dest: /etc/munin/plugin-conf.d/bind9
owner: root owner: root
@ -50,7 +50,7 @@
mode: "0644" mode: "0644"
force: yes force: yes
notify: restart munin-node notify: restart munin-node
when: munin_node_plugins_config.stat.exists
tags: tags:
- bind - bind
- munin - munin
when: munin_node_plugins_config.stat.exists

View File

@ -2,7 +2,7 @@
- name: Set bind configuration for recursive server - name: Set bind configuration for recursive server
template: ansible.builtin.template:
src: named.conf.options_recursive.j2 src: named.conf.options_recursive.j2
dest: /etc/bind/named.conf.options dest: /etc/bind/named.conf.options
owner: bind owner: bind
@ -12,7 +12,7 @@
notify: restart bind notify: restart bind
- name: enable zones.rfc1918 for recursive server - name: enable zones.rfc1918 for recursive server
lineinfile: ansible.builtin.lineinfile:
dest: /etc/bind/named.conf.local dest: /etc/bind/named.conf.local
line: 'include "/etc/bind/zones.rfc1918";' line: 'include "/etc/bind/zones.rfc1918";'
regexp: "zones.rfc1918" regexp: "zones.rfc1918"

View File

@ -1,10 +1,10 @@
--- ---
- debug: - ansible.builtin.debug:
var: ansible_lsb var: ansible_lsb
# Force facts until Debian 12 is released because Ansible is dumb # Force facts until Debian 12 is released because Ansible is dumb
- set_fact: - ansible.builtin.set_fact:
ansible_distribution_major_version: 12 ansible_distribution_major_version: 12
ansible_distribution: "Debian" ansible_distribution: "Debian"
ansible_distribution_release: "bookworm" ansible_distribution_release: "bookworm"

View File

@ -1,7 +1,7 @@
--- ---
# Force facts until Debian 11 is released because Ansible is dumb # Force facts until Debian 11 is released because Ansible is dumb
- set_fact: - ansible.builtin.set_fact:
ansible_distribution_major_version: 11 ansible_distribution_major_version: 11
ansible_distribution: "Debian" ansible_distribution: "Debian"
ansible_distribution_release: "bullseye" ansible_distribution_release: "bullseye"

View File

@ -1,23 +1,24 @@
--- ---
- name: reload nginx - name: reload nginx
service: ansible.builtin.systemd:
name: nginx name: nginx
state: reloaded state: reloaded
- name: reload apache - name: reload apache
service: ansible.builtin.systemd:
name: apache2 name: apache2
state: reloaded state: reloaded
- name: reload haproxy - name: reload haproxy
service: ansible.builtin.systemd:
name: haproxy name: haproxy
state: reloaded state: reloaded
- name: systemd daemon-reload - name: systemd daemon-reload
systemd: ansible.builtin.systemd:
daemon_reload: yes daemon_reload: yes
- name: install letsencrypt-auto - name: install letsencrypt-auto
command: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade ansible.builtin.command:
cmd: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade

View File

@ -1,18 +1,18 @@
--- ---
- name: Certbot work directory is present - name: Certbot work directory is present
file: ansible.builtin.file:
dest: "{{ certbot_work_dir }}" dest: "{{ certbot_work_dir }}"
state: directory state: directory
mode: "0755" mode: "0755"
- name: Check if Nginx is installed - name: Check if Nginx is installed
stat: ansible.builtin.stat:
path: /etc/nginx path: /etc/nginx
register: is_nginx register: is_nginx
- name: ACME challenge for Nginx is installed - name: ACME challenge for Nginx is installed
template: ansible.builtin.template:
src: acme-challenge/nginx.conf.j2 src: acme-challenge/nginx.conf.j2
dest: /etc/nginx/snippets/letsencrypt.conf dest: /etc/nginx/snippets/letsencrypt.conf
force: yes force: yes
@ -20,32 +20,33 @@
when: is_nginx.stat.exists when: is_nginx.stat.exists
- name: Check if Apache is installed - name: Check if Apache is installed
stat: ansible.builtin.stat:
path: /usr/sbin/apachectl path: /usr/sbin/apachectl
register: is_apache register: is_apache
- name: ACME challenge for Apache - name: ACME challenge for Apache
block: block:
- name: ACME challenge for Apache is installed - name: ACME challenge for Apache is installed
template: ansible.builtin.template:
src: acme-challenge/apache.conf.j2 src: acme-challenge/apache.conf.j2
dest: /etc/apache2/conf-available/letsencrypt.conf dest: /etc/apache2/conf-available/letsencrypt.conf
force: yes force: yes
notify: reload apache notify: reload apache
- name: ACME challenge for Apache is enabled - name: ACME challenge for Apache is enabled
command: "a2enconf letsencrypt" ansible.builtin.command:
cmd: "a2enconf letsencrypt"
register: command_result register: command_result
changed_when: "'Enabling' in command_result.stderr" changed_when: "'Enabling' in command_result.stderr"
notify: reload apache notify: reload apache
when: is_apache.stat.exists when: is_apache.stat.exists
- name: Check if HAProxy is installed - name: Check if HAProxy is installed
stat: ansible.builtin.stat:
path: /etc/haproxy path: /etc/haproxy
register: is_haproxy register: is_haproxy
- name: ACME challenge for HAProxy is installed - name: ACME challenge for HAProxy is installed
debug: ansible.builtin.debug:
msg: "ACME challenge configuration for HAProxy must be configured manually" msg: "ACME challenge configuration for HAProxy must be configured manually"
when: is_haproxy.stat.exists when: is_haproxy.stat.exists

View File

@ -1,16 +1,16 @@
--- ---
- name: certbot package is removed - name: certbot package is removed
apt: ansible.builtin.apt:
name: certbot name: certbot
state: absent state: absent
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
# copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto # copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto
- name: Let's Encrypt script is present - name: Let's Encrypt script is present
copy: ansible.builtin.copy:
src: letsencrypt-auto src: letsencrypt-auto
dest: /usr/local/bin/letsencrypt-auto dest: /usr/local/bin/letsencrypt-auto
mode: '0755' mode: '0755'
@ -20,22 +20,23 @@
notify: install letsencrypt-auto notify: install letsencrypt-auto
- name: Check certbot script - name: Check certbot script
stat: ansible.builtin.stat:
path: /usr/local/bin/certbot path: /usr/local/bin/certbot
register: certbot_path register: certbot_path
- name: Rename certbot script if present - name: Rename certbot script if present
command: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak" ansible.builtin.command:
cmd: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak"
when: certbot_path.stat.exists when: certbot_path.stat.exists
- name: Let's Encrypt script is symlinked as certbot - name: Let's Encrypt script is symlinked as certbot
file: ansible.builtin.file:
src: "/usr/local/bin/letsencrypt-auto" src: "/usr/local/bin/letsencrypt-auto"
dest: "/usr/local/bin/certbot" dest: "/usr/local/bin/certbot"
state: link state: link
- name: systemd artefacts are absent - name: systemd artefacts are absent
file: ansible.builtin.file:
dest: "{{ item }}" dest: "{{ item }}"
state: absent state: absent
loop: loop:
@ -45,14 +46,14 @@
notify: systemd daemon-reload notify: systemd daemon-reload
- name: custom crontab is present - name: custom crontab is present
copy: ansible.builtin.copy:
src: cron_jessie src: cron_jessie
dest: /etc/cron.d/certbot dest: /etc/cron.d/certbot
force: yes force: yes
when: certbot_custom_crontab | bool when: certbot_custom_crontab | bool
- name: disable self-upgrade - name: disable self-upgrade
ini_file: community.general.ini_file:
dest: "/etc/letsencrypt/cli.ini" dest: "/etc/letsencrypt/cli.ini"
section: null section: null
option: "no-self-upgrade" option: "no-self-upgrade"

View File

@ -1,6 +1,6 @@
--- ---
- name: certbot package is installed - name: certbot package is installed
apt: ansible.builtin.apt:
name: certbot name: certbot
state: latest state: latest

View File

@ -1,28 +1,28 @@
--- ---
- name: "System compatibility checks" - name: "System compatibility checks"
assert: ansible.builtin.assert:
that: that:
- ansible_distribution == "Debian" - ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=') - ansible_distribution_major_version is version('8', '>=')
msg: only compatible with Debian 9+ msg: only compatible with Debian 9+
- name: Install legacy script on Debian 8 - name: Install legacy script on Debian 8
include: install-legacy.yml ansible.builtin.include: install-legacy.yml
when: when:
- ansible_distribution == "Debian" - ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '<') - ansible_distribution_major_version is version('9', '<')
- name: Install package on Debian 9+ - name: Install package on Debian 9+
include: install-package.yml ansible.builtin.include: install-package.yml
when: when:
- ansible_distribution == "Debian" - ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '>=') - ansible_distribution_major_version is version('9', '>=')
- include: acme-challenge.yml - ansible.builtin.include: acme-challenge.yml
- name: Deploy hooks are present - name: Deploy hooks are present
copy: ansible.builtin.copy:
src: hooks/deploy/ src: hooks/deploy/
dest: /etc/letsencrypt/renewal-hooks/deploy/ dest: /etc/letsencrypt/renewal-hooks/deploy/
mode: "0700" mode: "0700"
@ -30,7 +30,7 @@
group: root group: root
- name: Manual deploy hook is present - name: Manual deploy hook is present
copy: ansible.builtin.copy:
src: hooks/manual-deploy.sh src: hooks/manual-deploy.sh
dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
mode: "0700" mode: "0700"
@ -38,7 +38,7 @@
group: root group: root
- name: "sync_remote is configured with servers" - name: "sync_remote is configured with servers"
lineinfile: ansible.builtin.lineinfile:
dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
regexp: "^servers=" regexp: "^servers="
line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\"" line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\""
@ -46,14 +46,15 @@
# begining of backward compatibility tasks # begining of backward compatibility tasks
- name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present - name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present
command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh" ansible.builtin.command:
cmd: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
args: args:
removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh
# end of backward compatibility tasks # end of backward compatibility tasks
- name: "certbot lock is ignored by Git" - name: "certbot lock is ignored by Git"
lineinfile: ansible.builtin.lineinfile:
dest: /etc/.gitignore dest: /etc/.gitignore
line: letsencrypt/.certbot.lock line: letsencrypt/.certbot.lock
create: yes create: yes

View File

@ -1,5 +1,5 @@
--- ---
- name: restart clamav - name: restart clamav
service: ansible.builtin.service:
name: clamav-daemon name: clamav-daemon
state: restarted state: restarted

View File

@ -1,6 +1,6 @@
--- ---
- name: configure clamav-daemon - name: configure clamav-daemon
debconf: ansible.builtin.debconf:
name: clamav-daemon name: clamav-daemon
question: "{{ item.key }}" question: "{{ item.key }}"
value: "{{ item.value }}" value: "{{ item.value }}"
@ -52,7 +52,7 @@
- clamav - clamav
- name: configure clamav-freshclam - name: configure clamav-freshclam
debconf: ansible.builtin.debconf:
name: clamav-freshclam name: clamav-freshclam
question: "{{ item.key }}" question: "{{ item.key }}"
value: "{{ item.value }}" value: "{{ item.value }}"
@ -73,7 +73,7 @@
- clamav - clamav
- name: install ClamAV - name: install ClamAV
apt: ansible.builtin.apt:
name: name:
- clamav-daemon - clamav-daemon
- clamav - clamav
@ -92,7 +92,7 @@
- clamav - clamav
- name: add clamav user to amavis group - name: add clamav user to amavis group
user: ansible.builtin.user:
name: clamav name: clamav
groups: amavis groups: amavis
append: True append: True
@ -100,7 +100,7 @@
- clamav - clamav
- name: allow supplementary groups - name: allow supplementary groups
replace: ansible.builtin.replace:
dest: /etc/clamav/clamd.conf dest: /etc/clamav/clamd.conf
regexp: 'AllowSupplementaryGroups false' regexp: 'AllowSupplementaryGroups false'
replace: 'AllowSupplementaryGroups true' replace: 'AllowSupplementaryGroups true'

View File

@ -1,5 +1,5 @@
--- ---
- name: restart dhcp - name: restart dhcp
service: ansible.builtin.service:
name: isc-dhcp-server name: isc-dhcp-server
state: restarted state: restarted

View File

@ -1,4 +1,4 @@
- name: ensure packages are installed - name: ensure packages are installed
apt: ansible.builtin.apt:
name: isc-dhcp-server name: isc-dhcp-server
state: present state: present

View File

@ -1,10 +1,10 @@
--- ---
- name: reload systemd - name: reload systemd
systemd: ansible.builtin.systemd:
daemon-reload: yes daemon-reload: yes
- name: restart docker - name: restart docker
service: ansible.builtin.systemd:
name: docker name: docker
state: restarted state: restarted
enabled: yes enabled: yes

View File

@ -1,16 +1,16 @@
--- ---
- name: restart dovecot - name: restart dovecot
service: ansible.builtin.service:
name: dovecot name: dovecot
state: restarted state: restarted
- name: reload dovecot - name: reload dovecot
service: ansible.builtin.service:
name: dovecot name: dovecot
state: reloaded state: reloaded
- name: restart log2mail - name: restart log2mail
service: ansible.builtin.service:
name: log2mail name: log2mail
state: restarted state: restarted

View File

@ -1,5 +1,5 @@
- name: ensure packages are installed - name: ensure packages are installed
apt: ansible.builtin.apt:
name: name:
- dovecot-ldap - dovecot-ldap
- dovecot-imapd - dovecot-imapd
@ -11,12 +11,12 @@
- dovecot - dovecot
- name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes) - name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
openssl_dhparam: community.crypto.openssl_dhparam:
path: /etc/ssl/dhparams.pem path: /etc/ssl/dhparams.pem
size: 4096 size: 4096
- name: disable pam auth - name: disable pam auth
replace: ansible.builtin.replace:
dest: /etc/dovecot/conf.d/10-auth.conf dest: /etc/dovecot/conf.d/10-auth.conf
regexp: "[^#]!include auth-system.conf.ext" regexp: "[^#]!include auth-system.conf.ext"
replace: "#!include auth-system.conf.ext" replace: "#!include auth-system.conf.ext"
@ -24,7 +24,7 @@
- dovecot - dovecot
- name: update ldap auth - name: update ldap auth
lineinfile: ansible.builtin.lineinfile:
dest: /etc/dovecot/dovecot-ldap.conf.ext dest: /etc/dovecot/dovecot-ldap.conf.ext
line: "{{ item.key }} = {{ item.value }}" line: "{{ item.key }} = {{ item.value }}"
regexp: "^#*{{ item.key }}" regexp: "^#*{{ item.key }}"
@ -43,7 +43,7 @@
- dovecot - dovecot
- name: create vmail group - name: create vmail group
group: ansible.builtin.group:
name: vmail name: vmail
gid: "{{ dovecot_vmail_gid }}" gid: "{{ dovecot_vmail_gid }}"
system: True system: True
@ -51,7 +51,7 @@
- dovecot - dovecot
- name: create vmail user - name: create vmail user
user: ansible.builtin.user:
name: vmail name: vmail
group: vmail group: vmail
uid: "{{ dovecot_vmail_uid }}" uid: "{{ dovecot_vmail_uid }}"
@ -61,7 +61,7 @@
- dovecot - dovecot
- name: deploy evolix config - name: deploy evolix config
template: ansible.builtin.template:
src: z-evolinux-defaults.conf.j2 src: z-evolinux-defaults.conf.j2
dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf
mode: "0644" mode: "0644"
@ -70,7 +70,7 @@
- dovecot - dovecot
- name: deploy file for custom configuration - name: deploy file for custom configuration
template: ansible.builtin.template:
src: zzz-evolinux-custom.conf.j2 src: zzz-evolinux-custom.conf.j2
dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf
mode: "0644" mode: "0644"
@ -78,18 +78,18 @@
tags: tags:
- dovecot - dovecot
- include: munin.yml - ansible.builtin.include: munin.yml
tags: tags:
- dovecot - dovecot
- name: log2mail is installed - name: log2mail is installed
apt: ansible.builtin.apt:
name: log2mail name: log2mail
state: present state: present
tags: dovecot tags: dovecot
- name: dovecot is configured in log2mail - name: dovecot is configured in log2mail
blockinfile: ansible.builtin.blockinfile:
path: /etc/log2mail/config/mail.conf path: /etc/log2mail/config/mail.conf
create: true create: true
owner: log2mail owner: log2mail

View File

@ -1,7 +1,7 @@
--- ---
- name: is Munin present ? - name: is Munin present ?
stat: ansible.builtin.stat:
path: /etc/munin/plugin-conf.d/munin-node path: /etc/munin/plugin-conf.d/munin-node
check_mode: no check_mode: no
register: munin_node_plugins_config register: munin_node_plugins_config
@ -9,13 +9,13 @@
- name: Munin plugins are present and configured - name: Munin plugins are present and configured
block: block:
- name: Install munin plugin - name: Install munin plugin
copy: ansible.builtin.copy:
src: munin_plugin src: munin_plugin
dest: /etc/munin/plugins/dovecot dest: /etc/munin/plugins/dovecot
mode: "0755" mode: "0755"
- name: Install munin config - name: Install munin config
copy: ansible.builtin.copy:
src: munin_config src: munin_config
dest: /etc/munin/plugin-conf.d/dovecot dest: /etc/munin/plugin-conf.d/dovecot
mode: "0644" mode: "0644"

View File

@ -1,5 +1,5 @@
--- ---
- name: restart munin-node - name: restart munin-node
service: ansible.builtin.service:
name: munin-node name: munin-node
state: restarted state: restarted

View File

@ -1,6 +1,6 @@
--- ---
- include: packages.yml - ansible.builtin.include: packages.yml
- include: munin.yml - ansible.builtin.include: munin.yml
- include: nagios.yml - ansible.builtin.include: nagios.yml

View File

@ -1,7 +1,7 @@
--- ---
- name: Check if Munin plugins exists - name: Check if Munin plugins exists
stat: ansible.builtin.stat:
path: /etc/munin/plugins/ path: /etc/munin/plugins/
register: munin_plugins_dir register: munin_plugins_dir
check_mode: no check_mode: no
@ -10,7 +10,7 @@
# https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/drbd/drbd # https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/drbd/drbd
- name: Get Munin plugin - name: Get Munin plugin
copy: ansible.builtin.copy:
src: munin/drbd-plugin src: munin/drbd-plugin
dest: /etc/munin/plugins/drbd dest: /etc/munin/plugins/drbd
mode: "0755" mode: "0755"
@ -20,7 +20,7 @@
- drbd - drbd
- name: Copy Munin plugin conf - name: Copy Munin plugin conf
copy: ansible.builtin.copy:
src: munin/drbd-config src: munin/drbd-config
dest: /etc/munin/plugin-conf.d/drbd dest: /etc/munin/plugin-conf.d/drbd
mode: "0644" mode: "0644"

View File

@ -1,21 +1,21 @@
--- ---
- name: Check if Nagios is installed - name: Check if Nagios is installed
stat: ansible.builtin.stat:
path: /usr/local/lib/nagios/plugins/ path: /usr/local/lib/nagios/plugins/
register: nagios_plugins_dir register: nagios_plugins_dir
check_mode: no check_mode: no
tags: tags:
- drbd - drbd
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
tags: tags:
- drbd - drbd
# https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=3367&cf_id=30 # https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=3367&cf_id=30
- name: Install Nagios plugin - name: Install Nagios plugin
copy: ansible.builtin.copy:
src: "nagios/check_drbd" src: "nagios/check_drbd"
dest: "/usr/local/lib/nagios/plugins/check_drbd" dest: "/usr/local/lib/nagios/plugins/check_drbd"
mode: "0755" mode: "0755"

View File

@ -1,5 +1,5 @@
- name: Install dependency - name: Install dependency
apt: ansible.builtin.apt:
name: name:
- drbd-utils - drbd-utils
- lvm2 - lvm2
@ -7,7 +7,7 @@
- drbd - drbd
- name: Enable drbd.service - name: Enable drbd.service
service: ansible.builtin.service:
name: drbd name: drbd
enabled: yes enabled: yes
tags: tags:

View File

@ -1,7 +1,7 @@
--- ---
- name: restart elasticsearch - name: restart elasticsearch
systemd: ansible.builtin.systemd:
daemon_reload: yes daemon_reload: yes
name: elasticsearch name: elasticsearch
state: restarted state: restarted

View File

@ -1,11 +1,11 @@
--- ---
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
when: elasticsearch_additional_scripts_dir is search("/usr") when: elasticsearch_additional_scripts_dir is search("/usr")
- name: "{{ elasticsearch_additional_scripts_dir }} exists" - name: "{{ elasticsearch_additional_scripts_dir }} exists"
file: ansible.builtin.file:
dest: "{{ elasticsearch_additional_scripts_dir }}" dest: "{{ elasticsearch_additional_scripts_dir }}"
mode: "0700" mode: "0700"
owner: root owner: root
@ -13,7 +13,7 @@
state: directory state: directory
- name: Plugins upgrade script is installed - name: Plugins upgrade script is installed
copy: ansible.builtin.copy:
src: upgrade_elasticsearch_plugins.sh src: upgrade_elasticsearch_plugins.sh
dest: "{{ elasticsearch_additional_scripts_dir }}/upgrade_elasticsearch_plugins.sh" dest: "{{ elasticsearch_additional_scripts_dir }}/upgrade_elasticsearch_plugins.sh"
mode: "0755" mode: "0755"

View File

@ -1,7 +1,8 @@
--- ---
- name: Read maximum map count - name: Read maximum map count
command: "sysctl -n vm.max_map_count" ansible.builtin.command:
cmd: "sysctl -n vm.max_map_count"
register: max_map_count register: max_map_count
failed_when: False failed_when: False
changed_when: False changed_when: False
@ -9,7 +10,7 @@
- config - config
- name: Maximum map count check - name: Maximum map count check
sysctl: ansible.posix.sysctl:
name: vm.max_map_count name: vm.max_map_count
value: 262144 value: 262144
sysctl_file: /etc/sysctl.d/elasticsearch.conf sysctl_file: /etc/sysctl.d/elasticsearch.conf
@ -18,7 +19,7 @@
- config - config
- name: bootstrap.memory_lock - name: bootstrap.memory_lock
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "bootstrap.memory_lock: true" line: "bootstrap.memory_lock: true"
regexp: "^bootstrap.memory_lock:" regexp: "^bootstrap.memory_lock:"
@ -27,12 +28,12 @@
- config - config
- name: Create a system config directory for systemd overrides - name: Create a system config directory for systemd overrides
file: ansible.builtin.file:
path: /etc/systemd/system/elasticsearch.service.d path: /etc/systemd/system/elasticsearch.service.d
state: directory state: directory
- name: Override memory config in systemd unit - name: Override memory config in systemd unit
ini_file: community.general.ini_file:
dest: /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf dest: /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf
section: Service section: Service
option: "LimitMEMLOCK" option: "LimitMEMLOCK"

View File

@ -1,7 +1,7 @@
--- ---
- name: Configure cluster name - name: Configure cluster name
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "cluster.name: {{ elasticsearch_cluster_name }}" line: "cluster.name: {{ elasticsearch_cluster_name }}"
regexp: "^cluster.name:" regexp: "^cluster.name:"
@ -11,7 +11,7 @@
- config - config
- name: Configure node name - name: Configure node name
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "node.name: {{ elasticsearch_node_name }}" line: "node.name: {{ elasticsearch_node_name }}"
regexp: "^node.name:" regexp: "^node.name:"
@ -20,7 +20,7 @@
- config - config
- name: Configure network host - name: Configure network host
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "network.host: {{ elasticsearch_network_host }}" line: "network.host: {{ elasticsearch_network_host }}"
regexp: "^network.host:" regexp: "^network.host:"
@ -30,7 +30,7 @@
- config - config
- name: Configure network publish_host - name: Configure network publish_host
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "network.publish_host: {{ elasticsearch_network_publish_host }}" line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
regexp: "^network.publish_host:" regexp: "^network.publish_host:"
@ -40,7 +40,7 @@
- config - config
- name: Configure http publish_host - name: Configure http publish_host
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "http.publish_host: {{ elasticsearch_http_publish_host }}" line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
regexp: "^http.publish_host:" regexp: "^http.publish_host:"
@ -50,7 +50,7 @@
- config - config
- name: Configure discovery seed hosts - name: Configure discovery seed hosts
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}" line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}"
regexp: "^discovery.seed_hosts:" regexp: "^discovery.seed_hosts:"
@ -59,7 +59,7 @@
- config - config
- name: Configure empty discovery seed hosts - name: Configure empty discovery seed hosts
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
regexp: "^discovery.seed_hosts:" regexp: "^discovery.seed_hosts:"
state: absent state: absent
@ -68,7 +68,7 @@
- config - config
- name: Configure initial master nodes - name: Configure initial master nodes
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "cluster.initial_master_nodes: {{ elasticsearch_cluster_initial_master_nodes | to_yaml(default_flow_style=True) }}" line: "cluster.initial_master_nodes: {{ elasticsearch_cluster_initial_master_nodes | to_yaml(default_flow_style=True) }}"
regexp: "^cluster.initial_master_nodes:" regexp: "^cluster.initial_master_nodes:"
@ -77,7 +77,7 @@
- config - config
- name: Configure empty initial master nodes - name: Configure empty initial master nodes
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
regexp: "^cluster.initial_master_nodes:" regexp: "^cluster.initial_master_nodes:"
state: absent state: absent
@ -86,7 +86,7 @@
- config - config
- name: Configure RESTART_ON_UPGRADE - name: Configure RESTART_ON_UPGRADE
lineinfile: ansible.builtin.lineinfile:
dest: /etc/default/elasticsearch dest: /etc/default/elasticsearch
line: "RESTART_ON_UPGRADE={{ elasticsearch_restart_on_upgrade | bool | ternary('true','false') }}" line: "RESTART_ON_UPGRADE={{ elasticsearch_restart_on_upgrade | bool | ternary('true','false') }}"
regexp: "^RESTART_ON_UPGRADE=" regexp: "^RESTART_ON_UPGRADE="
@ -95,7 +95,7 @@
- config - config
- name: JVM Heap size (min) is set - name: JVM Heap size (min) is set
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/jvm.options.d/evolinux.options dest: /etc/elasticsearch/jvm.options.d/evolinux.options
regexp: "^-Xms" regexp: "^-Xms"
line: "-Xms{{ elasticsearch_jvm_xms }}" line: "-Xms{{ elasticsearch_jvm_xms }}"
@ -107,7 +107,7 @@
- config - config
- name: JVM Heap size (max) is set - name: JVM Heap size (max) is set
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/jvm.options.d/evolinux.options dest: /etc/elasticsearch/jvm.options.d/evolinux.options
regexp: "^-Xmx" regexp: "^-Xmx"
line: "-Xmx{{ elasticsearch_jvm_xmx }}" line: "-Xmx{{ elasticsearch_jvm_xmx }}"
@ -119,7 +119,7 @@
- config - config
- name: Disable garbage collector logs (JDK >= 9) - name: Disable garbage collector logs (JDK >= 9)
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/jvm.options dest: /etc/elasticsearch/jvm.options
regexp: "Xlog:gc" regexp: "Xlog:gc"
line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m" line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m"
@ -130,7 +130,7 @@
- config - config
- name: Configure cluster members - name: Configure cluster members
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}" line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}"
regexp: "^discovery.zen.ping.unicast.hosts:" regexp: "^discovery.zen.ping.unicast.hosts:"
@ -140,7 +140,7 @@
- config - config
- name: Configure minimum master nodes - name: Configure minimum master nodes
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}" line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}"
regexp: "^discovery.zen.minimum_master_nodes:" regexp: "^discovery.zen.minimum_master_nodes:"

View File

@ -1,11 +1,11 @@
--- ---
- name: Use the correct debian repository - name: Use the correct debian repository
set_fact: ansible.builtin.set_fact:
curator_debian_repository: '{% if ansible_distribution_release == "jessie" %}debian{% else %}debian9{% endif %}' curator_debian_repository: '{% if ansible_distribution_release == "jessie" %}debian{% else %}debian9{% endif %}'
- name: Curator sources list is available - name: Curator sources list is available
apt_repository: ansible.builtin.apt_repository:
repo: "deb https://packages.elastic.co/curator/5/{{ curator_debian_repository }} stable main" repo: "deb https://packages.elastic.co/curator/5/{{ curator_debian_repository }} stable main"
filename: curator filename: curator
update_cache: yes update_cache: yes
@ -15,7 +15,7 @@
- packages - packages
- name: Curator package is installed - name: Curator package is installed
apt: ansible.builtin.apt:
name: elasticsearch-curator name: elasticsearch-curator
state: present state: present
tags: tags:

View File

@ -3,13 +3,13 @@
- name: Set real datadir value when customized - name: Set real datadir value when customized
block: block:
- name: "Is custom datadir present ?" - name: "Is custom datadir present ?"
stat: ansible.builtin.stat:
path: "{{ elasticsearch_custom_datadir }}" path: "{{ elasticsearch_custom_datadir }}"
register: elasticsearch_custom_datadir_test register: elasticsearch_custom_datadir_test
check_mode: no check_mode: no
- name: "read the real datadir" - name: "read the real datadir"
command: readlink -f /var/lib/elasticsearch ansible.builtin.command: readlink -f /var/lib/elasticsearch
changed_when: False changed_when: False
register: elasticsearch_current_real_datadir_test register: elasticsearch_current_real_datadir_test
check_mode: no check_mode: no
@ -22,23 +22,24 @@
- name: Datadir is moved to custom path - name: Datadir is moved to custom path
block: block:
- name: elasticsearch is stopped - name: elasticsearch is stopped
service: ansible.builtin.service:
name: elasticsearch name: elasticsearch
state: stopped state: stopped
- name: Move elasticsearch datadir to custom datadir - name: Move elasticsearch datadir to custom datadir
command: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }} ansible.builtin.command:
cmd: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }}
args: args:
creates: "{{ elasticsearch_custom_datadir }}" creates: "{{ elasticsearch_custom_datadir }}"
- name: Symlink {{ elasticsearch_custom_datadir }} to /var/lib/elasticsearch - name: Symlink {{ elasticsearch_custom_datadir }} to /var/lib/elasticsearch
file: ansible.builtin.file:
src: "{{ elasticsearch_custom_datadir }}" src: "{{ elasticsearch_custom_datadir }}"
dest: '/var/lib/elasticsearch' dest: '/var/lib/elasticsearch'
state: link state: link
- name: elasticsearch is started - name: elasticsearch is started
service: ansible.builtin.service:
name: elasticsearch name: elasticsearch
state: started state: started
tags: tags:

View File

@ -1,8 +1,8 @@
--- ---
- name: Check if cron is installed - name: Check if cron is installed
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" ansible.builtin.shell:
args: cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
executable: /bin/bash executable: /bin/bash
check_mode: no check_mode: no
failed_when: False failed_when: False
@ -10,7 +10,7 @@
register: is_cron_installed register: is_cron_installed
- name: "log rotation script" - name: "log rotation script"
template: ansible.builtin.template:
src: rotate_elasticsearch_logs.j2 src: rotate_elasticsearch_logs.j2
dest: /etc/cron.daily/rotate_elasticsearch_logs dest: /etc/cron.daily/rotate_elasticsearch_logs
owner: root owner: root

View File

@ -1,21 +1,21 @@
--- ---
- include: packages.yml - ansible.builtin.include: packages.yml
- include: configuration.yml - ansible.builtin.include: configuration.yml
- include: bootstrap_checks.yml - ansible.builtin.include: bootstrap_checks.yml
- include: tmpdir.yml - ansible.builtin.include: tmpdir.yml
- include: datadir.yml - ansible.builtin.include: datadir.yml
- include: logs.yml - ansible.builtin.include: logs.yml
- include: additional_scripts.yml - ansible.builtin.include: additional_scripts.yml
- include: plugin_head.yml - ansible.builtin.include: plugin_head.yml
when: elasticsearch_plugin_head | bool when: elasticsearch_plugin_head | bool
- include: curator.yml - ansible.builtin.include: curator.yml
when: elasticsearch_curator | bool when: elasticsearch_curator | bool

View File

@ -1,7 +1,7 @@
--- ---
- name: "User {{ elasticsearch_plugin_head_owner }} is present" - name: "User {{ elasticsearch_plugin_head_owner }} is present"
user: ansible.builtin.user:
name: "{{ elasticsearch_plugin_head_owner }}" name: "{{ elasticsearch_plugin_head_owner }}"
home: "{{ elasticsearch_plugin_head_home }}" home: "{{ elasticsearch_plugin_head_home }}"
createhome: yes createhome: yes
@ -11,7 +11,7 @@
- name: Head plugin is installed - name: Head plugin is installed
block: block:
- name: Head repository is checked-out - name: Head repository is checked-out
git: ansible.builtin.git:
repo: "https://github.com/mobz/elasticsearch-head.git" repo: "https://github.com/mobz/elasticsearch-head.git"
dest: "{{ elasticsearch_plugin_head_clone_dir }}" dest: "{{ elasticsearch_plugin_head_clone_dir }}"
clone: yes clone: yes
@ -19,12 +19,12 @@
- packages - packages
- name: Create tmpdir - name: Create tmpdir
file: ansible.builtin.file:
dest: "{{ elasticsearch_plugin_head_tmp_dir }}" dest: "{{ elasticsearch_plugin_head_tmp_dir }}"
state: directory state: directory
- name: NPM packages for head are installed - name: NPM packages for head are installed
npm: community.general.npm:
path: "{{ elasticsearch_plugin_head_clone_dir }}" path: "{{ elasticsearch_plugin_head_clone_dir }}"
tags: tags:
- packages - packages
@ -35,7 +35,7 @@
become: yes become: yes
- name: Elasticsearch HTTP/CORS are enabled - name: Elasticsearch HTTP/CORS are enabled
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "http.cors.enabled: true" line: "http.cors.enabled: true"
regexp: "^http.cors.enabled:" regexp: "^http.cors.enabled:"
@ -46,7 +46,7 @@
- elasticsearch - elasticsearch
- name: Elasticsearch HTTP/CORS accepts all origins - name: Elasticsearch HTTP/CORS accepts all origins
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
line: "http.cors.allow-origin: \"*\"" line: "http.cors.allow-origin: \"*\""
regexp: "^http.cors.allow-origin:" regexp: "^http.cors.allow-origin:"
@ -57,7 +57,7 @@
- elasticsearch - elasticsearch
- name: Install systemd unit - name: Install systemd unit
template: ansible.builtin.template:
src: elasticsearch-head.service.j2 src: elasticsearch-head.service.j2
dest: /etc/systemd/system/elasticsearch-head.service dest: /etc/systemd/system/elasticsearch-head.service
tags: tags:
@ -65,7 +65,7 @@
- systemd - systemd
- name: Enable systemd unit - name: Enable systemd unit
systemd: ansible.builtin.systemd:
name: elasticsearch-head name: elasticsearch-head
daemon_reload: yes daemon_reload: yes
enabled: yes enabled: yes

View File

@ -1,7 +1,8 @@
--- ---
- name: Check if /tmp is noexec - name: Check if /tmp is noexec
shell: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec" ansible.builtin.shell:
cmd: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec"
register: fstab_tmp_noexec register: fstab_tmp_noexec
failed_when: False failed_when: False
changed_when: False changed_when: False
@ -9,13 +10,13 @@
- name: Tmpdir is moved to custom path - name: Tmpdir is moved to custom path
block: block:
- set_fact: - ansible.builtin.set_fact:
_elasticsearch_custom_tmpdir: "{{ elasticsearch_custom_tmpdir | default(elasticsearch_default_tmpdir, True) | mandatory }}" _elasticsearch_custom_tmpdir: "{{ elasticsearch_custom_tmpdir | default(elasticsearch_default_tmpdir, True) | mandatory }}"
tags: tags:
- elasticsearch - elasticsearch
- name: "Create {{ _elasticsearch_custom_tmpdir }}" - name: "Create {{ _elasticsearch_custom_tmpdir }}"
file: ansible.builtin.file:
path: "{{ _elasticsearch_custom_tmpdir }}" path: "{{ _elasticsearch_custom_tmpdir }}"
owner: elasticsearch owner: elasticsearch
group: elasticsearch group: elasticsearch
@ -25,7 +26,7 @@
- elasticsearch - elasticsearch
- name: change JVM tmpdir (< 6.x) - name: change JVM tmpdir (< 6.x)
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/jvm.options.d/evolinux.options dest: /etc/elasticsearch/jvm.options.d/evolinux.options
line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}" line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}"
regexp: "^-Djava.io.tmpdir=" regexp: "^-Djava.io.tmpdir="
@ -40,7 +41,7 @@
when: elastic_stack_version is version('6', '<') when: elastic_stack_version is version('6', '<')
- name: check if ES_TMPDIR is available (>= 6.x) - name: check if ES_TMPDIR is available (>= 6.x)
lineinfile: ansible.builtin.lineinfile:
dest: /etc/default/elasticsearch dest: /etc/default/elasticsearch
line: "ES_TMPDIR={{ _elasticsearch_custom_tmpdir }}" line: "ES_TMPDIR={{ _elasticsearch_custom_tmpdir }}"
regexp: "^ES_TMPDIR=" regexp: "^ES_TMPDIR="
@ -53,7 +54,7 @@
# Note : Should not do any changes as -Djava.io.tmpdir=${ES_TMPDIR} is already here in the default config. # Note : Should not do any changes as -Djava.io.tmpdir=${ES_TMPDIR} is already here in the default config.
- name: change JVM tmpdir (>= 6.x) - name: change JVM tmpdir (>= 6.x)
lineinfile: ansible.builtin.lineinfile:
dest: /etc/elasticsearch/jvm.options dest: /etc/elasticsearch/jvm.options
line: "-Djava.io.tmpdir=${ES_TMPDIR}" line: "-Djava.io.tmpdir=${ES_TMPDIR}"
regexp: "^-Djava.io.tmpdir=" regexp: "^-Djava.io.tmpdir="

View File

@ -1,7 +1,8 @@
--- ---
- name: "Execute ansible-commit" - name: "Execute ansible-commit"
command: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\"" ansible.builtin.command:
cmd: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\""
changed_when: changed_when:
- _ansible_commit.stdout - _ansible_commit.stdout
- "'CHANGED:' in _ansible_commit.stdout" - "'CHANGED:' in _ansible_commit.stdout"

View File

@ -1,15 +1,15 @@
--- ---
- name: "Assert that we have been called with `container` defined" - name: "Assert that we have been called with `container` defined"
assert: ansible.builtin.assert:
that: that:
- container is defined - container is defined
- name: "Define path to /etc in {{ container }} container" - name: "Define path to /etc in {{ container }} container"
set_fact: ansible.builtin.set_fact:
container_etc: "{{ ('/var/lib/lxc', container, 'rootfs/etc') | path_join }}" container_etc: "{{ ('/var/lib/lxc', container, 'rootfs/etc') | path_join }}"
- name: "Check if /etc is a git repository in {{ container }}" - name: "Check if /etc is a git repository in {{ container }}"
stat: ansible.builtin.stat:
path: "{{ (container_etc, '.git') | path_join }}" path: "{{ (container_etc, '.git') | path_join }}"
get_attributes: no get_attributes: no
get_checksum: no get_checksum: no
@ -17,7 +17,7 @@
register: "container_etc_git" register: "container_etc_git"
- name: "Evocommit /etc of {{ container }}" - name: "Evocommit /etc of {{ container }}"
command: ansible.builtin.command:
argv: argv:
- /usr/local/bin/evocommit - /usr/local/bin/evocommit
- '--ansible' - '--ansible'

View File

@ -1,7 +1,7 @@
--- ---
- name: Git is installed (Debian) - name: Git is installed (Debian)
apt: ansible.builtin.apt:
name: git name: git
state: present state: present
tags: tags:
@ -10,12 +10,12 @@
- ansible_distribution == "Debian" - ansible_distribution == "Debian"
- name: Install and configure utilities - name: Install and configure utilities
include: utils.yml ansible.builtin.include: utils.yml
tags: tags:
- etc-git - etc-git
- name: Configure repositories - name: Configure repositories
include: repositories.yml ansible.builtin.include: repositories.yml
tags: tags:
- etc-git - etc-git
when: etc_git_config_repositories | bool when: etc_git_config_repositories | bool

View File

@ -1,6 +1,6 @@
--- ---
- include: repository.yml - ansible.builtin.include: repository.yml
vars: vars:
repository_path: "/etc" repository_path: "/etc"
gitignore_items: gitignore_items:
@ -15,18 +15,18 @@
- etc-git - etc-git
- name: verify /usr/share/scripts presence - name: verify /usr/share/scripts presence
stat: ansible.builtin.stat:
path: /usr/share/scripts path: /usr/share/scripts
register: _usr_share_scripts register: _usr_share_scripts
tags: tags:
- etc-git - etc-git
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
when: when:
- _usr_share_scripts.stat.isdir - _usr_share_scripts.stat.isdir
- include: repository.yml - ansible.builtin.include: repository.yml
vars: vars:
repository_path: "/usr/share/scripts" repository_path: "/usr/share/scripts"
gitignore_items: [] gitignore_items: []

View File

@ -1,11 +1,12 @@
--- ---
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
when: repository_path is search("/usr") when: repository_path is search("/usr")
- name: "{{ repository_path }} is versioned with git" - name: "{{ repository_path }} is versioned with git"
command: "git init ." ansible.builtin.command:
cmd: "git init ."
args: args:
chdir: "{{ repository_path }}" chdir: "{{ repository_path }}"
creates: "{{ repository_path }}/.git/" creates: "{{ repository_path }}/.git/"
@ -14,7 +15,7 @@
- etc-git - etc-git
- name: Git user.email is configured - name: Git user.email is configured
git_config: community.general.git_config:
name: user.email name: user.email
repo: "{{ repository_path }}" repo: "{{ repository_path }}"
scope: local scope: local
@ -23,7 +24,7 @@
- etc-git - etc-git
- name: "{{ repository_path }}/.git is restricted to root" - name: "{{ repository_path }}/.git is restricted to root"
file: ansible.builtin.file:
path: "{{ repository_path }}/.git" path: "{{ repository_path }}/.git"
owner: root owner: root
mode: "0700" mode: "0700"
@ -32,7 +33,7 @@
- etc-git - etc-git
- name: "{{ repository_path }}/.gitignore is present" - name: "{{ repository_path }}/.gitignore is present"
copy: ansible.builtin.copy:
src: gitignore src: gitignore
dest: "{{ repository_path }}/.gitignore" dest: "{{ repository_path }}/.gitignore"
owner: root owner: root
@ -42,7 +43,7 @@
- etc-git - etc-git
- name: "Some entries MUST be in the {{ repository_path }}/.gitignore file" - name: "Some entries MUST be in the {{ repository_path }}/.gitignore file"
lineinfile: ansible.builtin.lineinfile:
dest: "{{ repository_path }}/.gitignore" dest: "{{ repository_path }}/.gitignore"
line: "{{ item }}" line: "{{ item }}"
loop: "{{ gitignore_items | default([]) }}" loop: "{{ gitignore_items | default([]) }}"
@ -50,7 +51,8 @@
- etc-git - etc-git
- name: "does {{ repository_path }}/ have any commit?" - name: "does {{ repository_path }}/ have any commit?"
command: "git log" ansible.builtin.command:
cmd: "git log"
args: args:
chdir: "{{ repository_path }}" chdir: "{{ repository_path }}"
changed_when: False changed_when: False
@ -61,7 +63,8 @@
- etc-git - etc-git
- name: initial commit is present? - name: initial commit is present?
shell: "git add -A . && git commit -m \"Initial commit via Ansible\"" ansible.builtin.shell:
cmd: "git add -A . && git commit -m \"Initial commit via Ansible\""
args: args:
chdir: "{{ repository_path }}" chdir: "{{ repository_path }}"
register: git_commit register: git_commit

View File

@ -1,12 +1,12 @@
--- ---
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
tags: tags:
- etc-git - etc-git
- name: "evocommit script is installed" - name: "evocommit script is installed"
copy: ansible.builtin.copy:
src: evocommit src: evocommit
dest: /usr/local/bin/evocommit dest: /usr/local/bin/evocommit
mode: "0755" mode: "0755"
@ -15,7 +15,7 @@
- etc-git - etc-git
- name: "ansible-commit script is installed" - name: "ansible-commit script is installed"
copy: ansible.builtin.copy:
src: ansible-commit src: ansible-commit
dest: /usr/local/bin/ansible-commit dest: /usr/local/bin/ansible-commit
mode: "0755" mode: "0755"
@ -24,7 +24,7 @@
- etc-git - etc-git
- name: "etc-git-optimize script is installed" - name: "etc-git-optimize script is installed"
copy: ansible.builtin.copy:
src: etc-git-optimize src: etc-git-optimize
dest: /usr/share/scripts/etc-git-optimize dest: /usr/share/scripts/etc-git-optimize
mode: "0755" mode: "0755"
@ -33,7 +33,7 @@
- etc-git - etc-git
- name: "etc-git-status script is installed" - name: "etc-git-status script is installed"
copy: ansible.builtin.copy:
src: etc-git-status src: etc-git-status
dest: /usr/share/scripts/etc-git-status dest: /usr/share/scripts/etc-git-status
mode: "0755" mode: "0755"
@ -42,8 +42,8 @@
- etc-git - etc-git
- name: Check if cron is installed - name: Check if cron is installed
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" ansible.builtin.shell:
args: cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
executable: /bin/bash executable: /bin/bash
failed_when: False failed_when: False
changed_when: False changed_when: False
@ -52,7 +52,7 @@
- block: - block:
- name: Legacy cron jobs for /etc/.git status are absent - name: Legacy cron jobs for /etc/.git status are absent
file: ansible.builtin.file:
dest: "{{ item }}" dest: "{{ item }}"
state: absent state: absent
loop: loop:
@ -60,7 +60,7 @@
- /etc/cron.d/etc-git-status - /etc/cron.d/etc-git-status
- name: Cron job for monthly git optimization - name: Cron job for monthly git optimization
cron: ansible.builtin.cron:
name: "Monthly optimization" name: "Monthly optimization"
cron_file: etc-git cron_file: etc-git
special_time: "monthly" special_time: "monthly"
@ -68,7 +68,7 @@
job: "/usr/share/scripts/etc-git-optimize" job: "/usr/share/scripts/etc-git-optimize"
- name: Cron job for hourly git status - name: Cron job for hourly git status
cron: ansible.builtin.cron:
name: "Hourly warning for unclean Git repository if nobody is connected" name: "Hourly warning for unclean Git repository if nobody is connected"
cron_file: etc-git cron_file: etc-git
special_time: "hourly" special_time: "hourly"
@ -77,7 +77,7 @@
state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}" state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
- name: Cron job for daily git status - name: Cron job for daily git status
cron: ansible.builtin.cron:
name: "Daily warning for unclean Git repository" name: "Daily warning for unclean Git repository"
cron_file: etc-git cron_file: etc-git
user: root user: root

View File

@ -1,25 +1,27 @@
- name: newaliases - name: newaliases
command: newaliases ansible.builtin.command:
cmd: newaliases
- name: Test Apache conf - name: Test Apache conf
command: apache2ctl -t ansible.builtin.command:
cmd: apache2ctl -t
notify: "Reload Apache conf" notify: "Reload Apache conf"
- name: reload apache2 - name: reload apache2
service: ansible.builtin.service:
name: apache2 name: apache2
state: reloaded state: reloaded
- name: apt update - name: apt update
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
- name: reload squid3 - name: reload squid3
service: ansible.builtin.service:
name: squid3 name: squid3
state: reloaded state: reloaded
- name: reload squid - name: reload squid
service: ansible.builtin.service:
name: squid name: squid
state: reloaded state: reloaded

View File

@ -1,27 +1,29 @@
--- ---
- name: Do no install certbot crontab - name: Do no install certbot crontab
set_fact: ansible.builtin.set_fact:
certbot_custom_crontab: False certbot_custom_crontab: False
- include_role: - ansible.builtin.include_role:
name: evolix/certbot name: evolix/certbot
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
- name: Disable /etc/cron.d/certbot - name: Disable /etc/cron.d/certbot
command: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled ansible.builtin.command:
cmd: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled
args: args:
removes: /etc/cron.d/certbot removes: /etc/cron.d/certbot
- name: Disable /etc/cron.daily/certbot - name: Disable /etc/cron.daily/certbot
command: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled ansible.builtin.command:
cmd: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
args: args:
removes: /etc/cron.daily/certbot removes: /etc/cron.daily/certbot
- name: Install evoacme custom cron - name: Install evoacme custom cron
copy: ansible.builtin.copy:
src: evoacme.cron src: evoacme.cron
dest: /etc/cron.daily/evoacme dest: /etc/cron.daily/evoacme
mode: "0755" mode: "0755"

View File

@ -1,5 +1,5 @@
--- ---
- ini_file: - community.general.ini_file:
dest: "{{ evoacme_crt_dir }}/openssl.cnf" dest: "{{ evoacme_crt_dir }}/openssl.cnf"
section: 'req' section: 'req'
option: "{{ item.name }}" option: "{{ item.name }}"
@ -11,7 +11,7 @@
- { name: 'prompt', var: 'no' } - { name: 'prompt', var: 'no' }
- name: Update openssl conf - name: Update openssl conf
ini_file: community.general.ini_file:
dest: "{{ evoacme_crt_dir }}/openssl.cnf" dest: "{{ evoacme_crt_dir }}/openssl.cnf"
section: 'req_dn' section: 'req_dn'
option: "{{ item.name }}" option: "{{ item.name }}"
@ -25,7 +25,7 @@
- { name: 'emailAddress', var: "{{ evoacme_ssl_email }}" } - { name: 'emailAddress', var: "{{ evoacme_ssl_email }}" }
- name: Copy new evoacme conf - name: Copy new evoacme conf
template: ansible.builtin.template:
src: templates/evoacme.conf.j2 src: templates/evoacme.conf.j2
dest: /etc/default/evoacme dest: /etc/default/evoacme
owner: root owner: root

View File

@ -1,18 +1,19 @@
--- ---
- name: "Create {{ hook_name }} hook directory" - name: "Create {{ hook_name }} hook directory"
file: ansible.builtin.file:
dest: "{{ evoacme_hooks_dir }}" dest: "{{ evoacme_hooks_dir }}"
state: directory state: directory
- name: "Search for {{ hook_name }} hook" - name: "Search for {{ hook_name }} hook"
command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)" ansible.builtin.command:
cmd: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)"
check_mode: no check_mode: no
changed_when: False changed_when: False
register: _find_hook register: _find_hook
- name: "Copy {{ hook_name }} hook if missing" - name: "Copy {{ hook_name }} hook if missing"
copy: ansible.builtin.copy:
src: "hooks/{{ hook_name }}" src: "hooks/{{ hook_name }}"
dest: "{{ evoacme_hooks_dir }}/{{ hook_name }}" dest: "{{ evoacme_hooks_dir }}/{{ hook_name }}"
mode: "0750" mode: "0750"

View File

@ -1,16 +1,16 @@
--- ---
- name: Verify Debian version - name: Verify Debian version
assert: ansible.builtin.assert:
that: that:
- ansible_distribution == "Debian" - ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '>=') - ansible_distribution_major_version is version('9', '>=')
msg: only compatible with Debian >= 9 msg: only compatible with Debian >= 9
when: not (evoacme_disable_debian_check | bool) when: not (evoacme_disable_debian_check | bool)
- include: certbot.yml - ansible.builtin.include: certbot.yml
- include: permissions.yml - ansible.builtin.include: permissions.yml
# Enable this task if you want to deploy hooks # Enable this task if you want to deploy hooks
# - include: evoacme_hook.yml # - include: evoacme_hook.yml
@ -18,6 +18,6 @@
# hook_name: "{{ item }}" # hook_name: "{{ item }}"
# loop: [] # loop: []
- include: conf.yml - ansible.builtin.include: conf.yml
- include: scripts.yml - ansible.builtin.include: scripts.yml

View File

@ -1,7 +1,7 @@
--- ---
- name: Fix crt directory permissions - name: Fix crt directory permissions
file: ansible.builtin.file:
path: "{{ evoacme_crt_dir }}" path: "{{ evoacme_crt_dir }}"
mode: "0755" mode: "0755"
owner: root owner: root
@ -9,7 +9,7 @@
state: directory state: directory
- name: "Fix hooks directory permissions" - name: "Fix hooks directory permissions"
file: ansible.builtin.file:
path: "{{ evoacme_hooks_dir }}" path: "{{ evoacme_hooks_dir }}"
mode: "0700" mode: "0700"
owner: root owner: root
@ -17,7 +17,7 @@
state: directory state: directory
- name: Fix log directory permissions - name: Fix log directory permissions
file: ansible.builtin.file:
path: "{{ evoacme_log_dir }}" path: "{{ evoacme_log_dir }}"
mode: "0755" mode: "0755"
owner: root owner: root
@ -25,7 +25,7 @@
state: directory state: directory
- name: Fix challenge directory permissions - name: Fix challenge directory permissions
file: ansible.builtin.file:
path: "{{ evoacme_acme_dir }}" path: "{{ evoacme_acme_dir }}"
mode: "0755" mode: "0755"
owner: root owner: root

View File

@ -1,10 +1,10 @@
--- ---
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
- name: Create CSR dir - name: Create CSR dir
file: ansible.builtin.file:
path: "{{ evoacme_csr_dir }}" path: "{{ evoacme_csr_dir }}"
state: directory state: directory
owner: root owner: root
@ -12,7 +12,7 @@
mode: "0755" mode: "0755"
- name: Copy make-csr.sh script - name: Copy make-csr.sh script
copy: ansible.builtin.copy:
src: make-csr.sh src: make-csr.sh
dest: /usr/local/sbin/make-csr dest: /usr/local/sbin/make-csr
owner: root owner: root
@ -20,7 +20,7 @@
mode: "0755" mode: "0755"
- name: Copy vhost-domains.sh script - name: Copy vhost-domains.sh script
copy: ansible.builtin.copy:
src: vhost-domains.sh src: vhost-domains.sh
dest: /usr/local/sbin/vhost-domains dest: /usr/local/sbin/vhost-domains
owner: root owner: root
@ -28,7 +28,7 @@
mode: "0755" mode: "0755"
- name: Copy evoacme script - name: Copy evoacme script
copy: ansible.builtin.copy:
src: evoacme.sh src: evoacme.sh
dest: /usr/local/sbin/evoacme dest: /usr/local/sbin/evoacme
owner: root owner: root
@ -36,7 +36,7 @@
mode: "0755" mode: "0755"
- name: Delete scripts in old location - name: Delete scripts in old location
file: ansible.builtin.file:
path: "/usr/local/bin/{{ item }}" path: "/usr/local/bin/{{ item }}"
state: absent state: absent
loop: loop:

View File

@ -1,17 +1,20 @@
--- ---
- name: restart minifirewall - name: restart minifirewall
command: /etc/init.d/minifirewall restart ansible.builtin.command:
cmd: /etc/init.d/minifirewall restart
register: minifirewall_init_restart register: minifirewall_init_restart
failed_when: failed_when:
- "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
- "'minifirewall started' not in minifirewall_init_restart.stdout" - "'minifirewall started' not in minifirewall_init_restart.stdout"
- name: 'created new jail' - name: 'created new jail'
command: "bkctld restart {{ evolinux_hostname }}" ansible.builtin.command:
cmd: "bkctld restart {{ evolinux_hostname }}"
delegate_to: "{{ evobackup_client__hosts[0].ip }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}"
- name: 'jail updated' - name: 'jail updated'
command: "bkctld restart {{ evolinux_hostname }}" ansible.builtin.command:
cmd: "bkctld restart {{ evolinux_hostname }}"
# - "bkctld sync {{ evolinux_hostname }}" # - "bkctld sync {{ evolinux_hostname }}"
delegate_to: "{{ evobackup_client__hosts[0].ip }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}"
when: evobackup_client__hosts | length > 1 when: evobackup_client__hosts | length > 1

View File

@ -1,7 +1,8 @@
--- ---
- name: 'create jail' - name: 'create jail'
command: "bkctld init {{ evolinux_hostname }}" ansible.builtin.command:
cmd: "bkctld init {{ evolinux_hostname }}"
args: args:
creates: "/backup/jails/{{ evolinux_hostname }}/" creates: "/backup/jails/{{ evolinux_hostname }}/"
become: true become: true
@ -15,7 +16,8 @@
# temp fix for bkctld 2.x because the ip and key command return 1 # temp fix for bkctld 2.x because the ip and key command return 1
# if the jail is not started, see https://gitea.evolix.org/evolix/evobackup/issues/31 # if the jail is not started, see https://gitea.evolix.org/evolix/evobackup/issues/31
- name: 'start jail' - name: 'start jail'
command: "bkctld restart {{ evolinux_hostname }}" ansible.builtin.command:
cmd: "bkctld restart {{ evolinux_hostname }}"
become: true become: true
delegate_to: "{{ evobackup_client__hosts[0].ip }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}"
tags: tags:
@ -23,7 +25,8 @@
- evobackup_client_jail - evobackup_client_jail
- name: 'add ip to jail' - name: 'add ip to jail'
command: "bkctld ip {{ evolinux_hostname }} {{ ansible_host }}" ansible.builtin.command:
cmd: "bkctld ip {{ evolinux_hostname }} {{ ansible_host }}"
become: true become: true
delegate_to: "{{ evobackup_client__hosts[0].ip }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}"
notify: 'jail updated' notify: 'jail updated'
@ -32,7 +35,8 @@
- evobackup_client_jail - evobackup_client_jail
- name: 'add key to jail' - name: 'add key to jail'
command: "bkctld key {{ evolinux_hostname }} /root/{{ evolinux_hostname }}.pub" ansible.builtin.command:
cmd: "bkctld key {{ evolinux_hostname }} /root/{{ evolinux_hostname }}.pub"
become: true become: true
delegate_to: "{{ evobackup_client__hosts[0].ip }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}"
notify: 'jail updated' notify: 'jail updated'
@ -41,7 +45,8 @@
- evobackup_client_jail - evobackup_client_jail
- name: 'get jail port' - name: 'get jail port'
command: "bkctld port {{ evolinux_hostname }}" ansible.builtin.command:
cmd: "bkctld port {{ evolinux_hostname }}"
become: true become: true
register: bkctld_port register: bkctld_port
delegate_to: "{{ evobackup_client__hosts[0].ip }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}"
@ -50,7 +55,7 @@
- evobackup_client_jail - evobackup_client_jail
- name: 'register jail port' - name: 'register jail port'
set_fact: ansible.builtin.set_fact:
evobackup_ssh_port={{ bkctld_port.stdout }} evobackup_ssh_port={{ bkctld_port.stdout }}
tags: tags:
- evobackup_client - evobackup_client

View File

@ -1,26 +1,26 @@
--- ---
- include: "ssh_key.yml" - ansible.builtin.include: "ssh_key.yml"
tags: tags:
- evobackup_client - evobackup_client
- evobackup_client_backup_ssh_key - evobackup_client_backup_ssh_key
- include: "jail.yml" - ansible.builtin.include: "jail.yml"
tags: tags:
- evobackup_client - evobackup_client
- evobackup_client_jail - evobackup_client_jail
- include: "upload_scripts.yml" - ansible.builtin.include: "upload_scripts.yml"
tags: tags:
- evobackup_client - evobackup_client
- evobackup_client_backup_scripts - evobackup_client_backup_scripts
- include: "open_ssh_ports.yml" - ansible.builtin.include: "open_ssh_ports.yml"
tags: tags:
- evobackup_client - evobackup_client
- evobackup_client_backup_firewall - evobackup_client_backup_firewall
- include: "verify_ssh.yml" - ansible.builtin.include: "verify_ssh.yml"
tags: tags:
- evobackup_client - evobackup_client
- evobackup_client_backup_hosts - evobackup_client_backup_hosts

View File

@ -1,7 +1,7 @@
--- ---
- name: Is there a Minifirewall ? - name: Is there a Minifirewall ?
stat: ansible.builtin.stat:
path: /etc/default/minifirewall path: /etc/default/minifirewall
register: evobackup_client__minifirewall register: evobackup_client__minifirewall
tags: tags:
@ -9,7 +9,7 @@
- evobackup_client_backup_firewall - evobackup_client_backup_firewall
- name: Add backup SSH port in /etc/default/minifirewall - name: Add backup SSH port in /etc/default/minifirewall
blockinfile: ansible.builtin.blockinfile:
dest: /etc/default/minifirewall dest: /etc/default/minifirewall
marker: "# {mark} {{ item.name }}" marker: "# {mark} {{ item.name }}"
block: | block: |

View File

@ -1,7 +1,7 @@
--- ---
- name: Create SSH key - name: Create SSH key
user: ansible.builtin.user:
name: root name: root
generate_ssh_key: true generate_ssh_key: true
ssh_key_file: "{{ evobackup_client__root_key_path }}" ssh_key_file: "{{ evobackup_client__root_key_path }}"
@ -12,7 +12,7 @@
- evobackup_client_backup_ssh_key - evobackup_client_backup_ssh_key
- name: Print SSH key - name: Print SSH key
debug: ansible.builtin.debug:
var: evobackup_client__root_key.ssh_public_key var: evobackup_client__root_key.ssh_public_key
when: evobackup_client__root_key.ssh_public_key is defined when: evobackup_client__root_key.ssh_public_key is defined
tags: tags:
@ -20,7 +20,7 @@
- evobackup_client_backup_ssh_key - evobackup_client_backup_ssh_key
- name: 'copy ssh public key to backup server' - name: 'copy ssh public key to backup server'
copy: ansible.builtin.copy:
content: "{{ evobackup_client__root_key.ssh_public_key }}" content: "{{ evobackup_client__root_key.ssh_public_key }}"
dest: "/root/{{ evolinux_hostname }}.pub" dest: "/root/{{ evolinux_hostname }}.pub"
become: true become: true

View File

@ -1,7 +1,7 @@
--- ---
- name: Upload evobackup script - name: Upload evobackup script
template: ansible.builtin.template:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ evobackup_client__cron_path }}" dest: "{{ evobackup_client__cron_path }}"
force: true force: true

View File

@ -1,7 +1,7 @@
--- ---
- name: Verify evolix backup servers - name: Verify evolix backup servers
known_hosts: ansible.builtin.known_hosts:
path: /root/.ssh/known_hosts path: /root/.ssh/known_hosts
name: "[{{ item.name }}]:{{ item.port }}" name: "[{{ item.name }}]:{{ item.port }}"
key: "[{{ item.name }}]:{{ item.port }} {{ item.fingerprint }}" key: "[{{ item.name }}]:{{ item.port }} {{ item.fingerprint }}"

View File

@ -1,8 +1,8 @@
--- ---
- name: Check if cron is installed - name: Check if cron is installed
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" ansible.builtin.shell:
args: cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
executable: /bin/bash executable: /bin/bash
failed_when: False failed_when: False
changed_when: False changed_when: False
@ -10,7 +10,7 @@
register: is_cron_installed register: is_cron_installed
- name: evocheck crontab is updated - name: evocheck crontab is updated
template: ansible.builtin.template:
src: crontab.j2 src: crontab.j2
dest: /etc/cron.d/evocheck dest: /etc/cron.d/evocheck
mode: "0644" mode: "0644"

View File

@ -1,6 +1,7 @@
--- ---
- name: run evocheck - name: run evocheck
command: "{{ evocheck_bin_dir }}/evocheck.sh" ansible.builtin.command:
cmd: "{{ evocheck_bin_dir }}/evocheck.sh"
register: evocheck_run register: evocheck_run
changed_when: False changed_when: False
failed_when: False failed_when: False
@ -8,7 +9,7 @@
tags: tags:
- evocheck-exec - evocheck-exec
- debug: - ansible.builtin.debug:
var: evocheck_run.stdout_lines var: evocheck_run.stdout_lines
when: evocheck_run.stdout | length > 0 when: evocheck_run.stdout | length > 0
tags: tags:

View File

@ -1,12 +1,12 @@
--- ---
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
when: evocheck_bin_dir is search("/usr") when: evocheck_bin_dir is search("/usr")
tags: tags:
- evocheck - evocheck
- name: Scripts dir is present - name: Scripts dir is present
file: ansible.builtin.file:
path: "{{ evocheck_bin_dir }}" path: "{{ evocheck_bin_dir }}"
state: directory state: directory
owner: root owner: root
@ -16,22 +16,22 @@
- evocheck - evocheck
- name: Script for Debian 7 and earlier - name: Script for Debian 7 and earlier
set_fact: ansible.builtin.set_fact:
evocheck_script_src: evocheck.wheezy.sh evocheck_script_src: evocheck.wheezy.sh
when: ansible_distribution_major_version is version('7', '<=') when: ansible_distribution_major_version is version('7', '<=')
- name: Script for Debian 8 - name: Script for Debian 8
set_fact: ansible.builtin.set_fact:
evocheck_script_src: evocheck.jessie.sh evocheck_script_src: evocheck.jessie.sh
when: ansible_distribution_major_version is version('8', '=') when: ansible_distribution_major_version is version('8', '=')
- name: Script for Debian 9 and later - name: Script for Debian 9 and later
set_fact: ansible.builtin.set_fact:
evocheck_script_src: evocheck.sh evocheck_script_src: evocheck.sh
when: ansible_distribution_major_version is version('9', '>=') when: ansible_distribution_major_version is version('9', '>=')
- name: Copy evocheck.sh - name: Copy evocheck.sh
copy: ansible.builtin.copy:
src: "{{ evocheck_script_src }}" src: "{{ evocheck_script_src }}"
dest: "{{ evocheck_bin_dir }}/evocheck.sh" dest: "{{ evocheck_bin_dir }}/evocheck.sh"
mode: "0700" mode: "0700"
@ -41,7 +41,7 @@
- evocheck - evocheck
- name: Copy evocheck.cf - name: Copy evocheck.cf
copy: ansible.builtin.copy:
src: evocheck.cf src: evocheck.cf
dest: /etc/evocheck.cf dest: /etc/evocheck.cf
force: no force: no

View File

@ -1,6 +1,6 @@
--- ---
- include: install.yml - ansible.builtin.include: install.yml
- include: cron.yml - ansible.builtin.include: cron.yml
when: evocheck_update_crontab | bool when: evocheck_update_crontab | bool

View File

@ -1,75 +1,81 @@
--- ---
- name: dpkg-reconfigure-debconf - name: dpkg-reconfigure-debconf
command: dpkg-reconfigure --frontend noninteractive debconf ansible.builtin.command:
cmd: dpkg-reconfigure --frontend noninteractive debconf
- name: dpkg-reconfigure-locales - name: dpkg-reconfigure-locales
command: dpkg-reconfigure --frontend noninteractive locales ansible.builtin.command:
cmd: dpkg-reconfigure --frontend noninteractive locales
- name: dpkg-reconfigure-apt - name: dpkg-reconfigure-apt
command: dpkg-reconfigure --frontend noninteractive apt-listchanges ansible.builtin.command:
cmd: dpkg-reconfigure --frontend noninteractive apt-listchanges
# - name: debconf-set-selections # - name: debconf-set-selections
# command: debconf-set-selections /root/debconf-preseed # command: debconf-set-selections /root/debconf-preseed
- name: apt update - name: apt update
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
- name: restart rsyslog - name: restart rsyslog
service: ansible.builtin.service:
name: rsyslog name: rsyslog
state: restarted state: restarted
- name: remount /home - name: remount /home
command: mount -o remount /home ansible.builtin.command:
cmd: mount -o remount /home
- name: remount /var - name: remount /var
command: mount -o remount /var ansible.builtin.command:
cmd: mount -o remount /var
- name: restart nginx - name: restart nginx
service: ansible.builtin.service:
name: nginx name: nginx
state: restarted state: restarted
- name: reload nginx - name: reload nginx
service: ansible.builtin.service:
name: nginx name: nginx
state: reloaded state: reloaded
- name: restart apache - name: restart apache
service: ansible.builtin.service:
name: apache2 name: apache2
state: restarted state: restarted
- name: reload apache - name: reload apache
service: ansible.builtin.service:
name: apache2 name: apache2
state: reloaded state: reloaded
- name: restart cron - name: restart cron
service: ansible.builtin.service:
name: cron name: cron
state: restarted state: restarted
- name: newaliases - name: newaliases
command: newaliases ansible.builtin.command:
cmd: newaliases
changed_when: False changed_when: False
- name: reload sshd - name: reload sshd
service: ansible.builtin.service:
name: ssh name: ssh
state: reloaded state: reloaded
- name: reload postfix - name: reload postfix
service: ansible.builtin.service:
name: postfix name: postfix
state: reloaded state: reloaded
- name: restart log2mail - name: restart log2mail
service: ansible.builtin.service:
name: log2mail name: log2mail
state: restarted state: restarted

View File

@ -9,5 +9,5 @@
# mode: "0700" # mode: "0700"
# state: directory # state: directory
- include_role: - ansible.builtin.include_role:
name: evolix/evolinux-todo name: evolix/evolinux-todo

View File

@ -7,7 +7,8 @@
# This is still incompatible with Debian # This is still incompatible with Debian
- name: Check if PERC HBA11 device is present - name: Check if PERC HBA11 device is present
ansible.builtin.shell: "lspci | grep -qE 'MegaRAID.*SAS39xx'" ansible.builtin.shell:
cmd: "lspci | grep -qE 'MegaRAID.*SAS39xx'"
check_mode: no check_mode: no
register: perc_hba11_search register: perc_hba11_search
failed_when: False failed_when: False
@ -74,7 +75,7 @@
when: ansible_distribution_major_version is version('12', '>=') when: ansible_distribution_major_version is version('12', '>=')
- name: Update APT cache - name: Update APT cache
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
when: hwraid_sources is changed when: hwraid_sources is changed

View File

@ -67,13 +67,13 @@
- packages - packages
- name: "HP" - name: "HP"
import_tasks: hardware.hp.yml ansible.builtin.import_tasks: hardware.hp.yml
when: when:
- "'Hewlett-Packard Company Smart Array' in raidmodel.stdout or 'Adaptec Smart Storage PQI' in raidmodel.stdout" - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout or 'Adaptec Smart Storage PQI' in raidmodel.stdout"
- evolinux_packages_hardware_raid | bool - evolinux_packages_hardware_raid | bool
- name: "Dell" - name: "Dell"
import_tasks: hardware.dell.yml ansible.builtin.import_tasks: hardware.dell.yml
when: when:
- "'MegaRAID' in raidmodel.stdout" - "'MegaRAID' in raidmodel.stdout"
- evolinux_packages_hardware_raid | bool - evolinux_packages_hardware_raid | bool

View File

@ -1,14 +1,14 @@
--- ---
- name: "System compatibility checks" - name: "System compatibility checks"
assert: ansible.builtin.assert:
that: that:
- ansible_distribution == "Debian" - ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=') - ansible_distribution_major_version is version('8', '>=')
msg: only compatible with Debian >= 8 msg: only compatible with Debian >= 8
- name: Apt configuration - name: Apt configuration
include_role: ansible.builtin.include_role:
name: evolix/apt name: evolix/apt
vars: vars:
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
@ -18,52 +18,52 @@
when: evolinux_apt_include | bool when: evolinux_apt_include | bool
- name: /etc versioning with Git - name: /etc versioning with Git
include_role: ansible.builtin.include_role:
name: evolix/etc-git name: evolix/etc-git
when: evolinux_etcgit_include | bool when: evolinux_etcgit_include | bool
- name: /etc/evolinux base - name: /etc/evolinux base
import_tasks: etc-evolinux.yml ansible.builtin.import_tasks: etc-evolinux.yml
when: evolinux_etcevolinux_include | bool when: evolinux_etcevolinux_include | bool
- name: Hostname - name: Hostname
import_tasks: hostname.yml ansible.builtin.import_tasks: hostname.yml
when: evolinux_hostname_include | bool when: evolinux_hostname_include | bool
- name: Kernel tuning - name: Kernel tuning
import_tasks: kernel.yml ansible.builtin.import_tasks: kernel.yml
when: evolinux_kernel_include | bool when: evolinux_kernel_include | bool
- name: Fstab configuration - name: Fstab configuration
import_tasks: fstab.yml ansible.builtin.import_tasks: fstab.yml
when: evolinux_fstab_include | bool when: evolinux_fstab_include | bool
- name: Packages - name: Packages
import_tasks: packages.yml ansible.builtin.import_tasks: packages.yml
when: evolinux_packages_include | bool when: evolinux_packages_include | bool
- name: System settings - name: System settings
import_tasks: system.yml ansible.builtin.import_tasks: system.yml
when: evolinux_system_include | bool when: evolinux_system_include | bool
- name: Minifirewall - name: Minifirewall
include_role: ansible.builtin.include_role:
name: evolix/minifirewall name: evolix/minifirewall
when: evolinux_minifirewall_include | bool when: evolinux_minifirewall_include | bool
- name: Evomaintenance - name: Evomaintenance
include_role: ansible.builtin.include_role:
name: evolix/evomaintenance name: evolix/evomaintenance
when: evolinux_evomaintenance_include | bool when: evolinux_evomaintenance_include | bool
- name: SSH configuration (single file) - name: SSH configuration (single file)
import_tasks: ssh.single-file.yml ansible.builtin.import_tasks: ssh.single-file.yml
when: when:
- ansible_distribution_major_version is version('12', '<') - ansible_distribution_major_version is version('12', '<')
- evolinux_ssh_include | bool - evolinux_ssh_include | bool
- name: SSH configuration (included-files) - name: SSH configuration (included-files)
import_tasks: ssh.included-files.yml ansible.builtin.import_tasks: ssh.included-files.yml
when: when:
- ansible_distribution_major_version is version('12', '>=') - ansible_distribution_major_version is version('12', '>=')
- evolinux_ssh_include | bool - evolinux_ssh_include | bool
@ -75,71 +75,71 @@
# when: evolinux_users_include # when: evolinux_users_include
- name: Root user configuration - name: Root user configuration
import_tasks: root.yml ansible.builtin.import_tasks: root.yml
when: evolinux_root_include | bool when: evolinux_root_include | bool
- name: Postfix - name: Postfix
import_tasks: postfix.yml ansible.builtin.import_tasks: postfix.yml
when: evolinux_postfix_include | bool when: evolinux_postfix_include | bool
- name: Logs management - name: Logs management
import_tasks: logs.yml ansible.builtin.import_tasks: logs.yml
when: evolinux_logs_include | bool when: evolinux_logs_include | bool
- name: Default index page - name: Default index page
import_tasks: default_www.yml ansible.builtin.import_tasks: default_www.yml
when: evolinux_default_www_include | bool when: evolinux_default_www_include | bool
- name: Hardware drivers and tools - name: Hardware drivers and tools
import_tasks: hardware.yml ansible.builtin.import_tasks: hardware.yml
when: when:
- evolinux_hardware_include | bool - evolinux_hardware_include | bool
- ansible_virtualization_role == "host" - ansible_virtualization_role == "host"
- name: Customize for Online.net - name: Customize for Online.net
import_tasks: provider_online.yml ansible.builtin.import_tasks: provider_online.yml
when: evolinux_provider_online_include | bool when: evolinux_provider_online_include | bool
- name: Customize for Orange FCE - name: Customize for Orange FCE
import_tasks: provider_orange_fce.yml ansible.builtin.import_tasks: provider_orange_fce.yml
when: evolinux_provider_orange_fce_include | bool when: evolinux_provider_orange_fce_include | bool
- name: Override Log2mail service - name: Override Log2mail service
import_tasks: log2mail.yml ansible.builtin.import_tasks: log2mail.yml
when: evolinux_log2mail_include | bool when: evolinux_log2mail_include | bool
- import_tasks: motd.yml - ansible.builtin.import_tasks: motd.yml
when: evolinux_motd_include | bool when: evolinux_motd_include | bool
- import_tasks: utils.yml - ansible.builtin.import_tasks: utils.yml
when: evolinux_utils_include | bool when: evolinux_utils_include | bool
- name: Munin - name: Munin
include_role: ansible.builtin.include_role:
name: evolix/munin name: evolix/munin
when: evolinux_munin_include | bool when: evolinux_munin_include | bool
- name: Nagios/NRPE - name: Nagios/NRPE
include_role: ansible.builtin.include_role:
name: evolix/nagios-nrpe name: evolix/nagios-nrpe
when: evolinux_nagios_nrpe_include | bool when: evolinux_nagios_nrpe_include | bool
- name: fail2ban - name: fail2ban
include_role: ansible.builtin.include_role:
name: evolix/fail2ban name: evolix/fail2ban
when: evolinux_fail2ban_include | bool when: evolinux_fail2ban_include | bool
- name: Evocheck - name: Evocheck
include_role: ansible.builtin.include_role:
name: evolix/evocheck name: evolix/evocheck
when: evolinux_evocheck_include | bool when: evolinux_evocheck_include | bool
- name: Listupgrade - name: Listupgrade
include_role: ansible.builtin.include_role:
name: evolix/listupgrade name: evolix/listupgrade
when: evolinux_listupgrade_include | bool when: evolinux_listupgrade_include | bool
- name: Generate ldif script - name: Generate ldif script
include_role: ansible.builtin.include_role:
name: evolix/generate-ldif name: evolix/generate-ldif
when: evolinux_generateldif_include | bool when: evolinux_generateldif_include | bool

View File

@ -34,7 +34,7 @@
# TODO : find a way to force the console-data configuration # TODO : find a way to force the console-data configuration
# non-interactively (like tzdata ↑) # non-interactively (like tzdata ↑)
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
- name: Ensure automagic vim conf is disabled - name: Ensure automagic vim conf is disabled
@ -129,7 +129,7 @@
- is_cron_installed.rc == 0 - is_cron_installed.rc == 0
- evolinux_system_cron_random | bool - evolinux_system_cron_random | bool
- include_role: - ansible.builtin.include_role:
name: evolix/ntpd name: evolix/ntpd
## alert5 ## alert5

View File

@ -1,9 +1,9 @@
--- ---
- include_role: - ansible.builtin.include_role:
name: evolix/remount-usr name: evolix/remount-usr
- include_tasks: - ansible.builtin.include_tasks:
file: dump-server-state.yml file: dump-server-state.yml
- name: "/sbin/deny script is present" - name: "/sbin/deny script is present"

View File

@ -1,13 +1,14 @@
--- ---
- name: cat /etc/evolinux/todo.txt - name: cat /etc/evolinux/todo.txt
command: "cat /etc/evolinux/todo.txt" ansible.builtin.command:
cmd: "cat /etc/evolinux/todo.txt"
register: evolinux_todo register: evolinux_todo
changed_when: False changed_when: False
failed_when: False failed_when: False
check_mode: no check_mode: no
- name: "Content of /etc/evolinux/todo.txt" - name: "Content of /etc/evolinux/todo.txt"
debug: ansible.builtin.debug:
var: evolinux_todo.stdout_lines var: evolinux_todo.stdout_lines
when: evolinux_todo.stdout | length > 0 when: evolinux_todo.stdout | length > 0

View File

@ -1,14 +1,14 @@
--- ---
- name: /etc/evolinux is present - name: /etc/evolinux is present
file: ansible.builtin.file:
dest: /etc/evolinux dest: /etc/evolinux
mode: "0700" mode: "0700"
state: directory state: directory
when: ansible_distribution == "Debian" when: ansible_distribution == "Debian"
- name: /etc/evolinux/todo.txt is present - name: /etc/evolinux/todo.txt is present
copy: ansible.builtin.copy:
src: todo.defaults.txt src: todo.defaults.txt
dest: /etc/evolinux/todo.txt dest: /etc/evolinux/todo.txt
mode: "0640" mode: "0640"

View File

@ -1,9 +1,10 @@
--- ---
- name: reload sshd - name: reload sshd
service: ansible.builtin.service:
name: sshd name: sshd
state: reloaded state: reloaded
- name: newaliases - name: newaliases
command: newaliases ansible.builtin.command:
cmd: newaliases
changed_when: False changed_when: False

View File

@ -1,18 +1,18 @@
--- ---
- name: "System compatibility checks" - name: "System compatibility checks"
assert: ansible.builtin.assert:
that: that:
- ansible_distribution == "Debian" - ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=') - ansible_distribution_major_version is version('8', '>=')
msg: only compatible with Debian >= 8 msg: only compatible with Debian >= 8
- debug: - ansible.builtin.debug:
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
when: evolinux_users | length == 0 when: evolinux_users | length == 0
- name: Create user accounts - name: Create user accounts
include: user.yml ansible.builtin.include: user.yml
vars: vars:
user: "{{ item.value }}" user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}" loop: "{{ evolinux_users | dict2items }}"
@ -21,8 +21,8 @@
- evolinux_users | length > 0 - evolinux_users | length > 0
- name: Configure sudo - name: Configure sudo
include: sudo.yml ansible.builtin.include: sudo.yml
- name: Configure SSH - name: Configure SSH
include: ssh.yml ansible.builtin.include: ssh.yml
when: evolinux_users | length > 0 when: evolinux_users | length > 0

View File

@ -1,51 +1,53 @@
--- ---
- name: verify AllowGroups directive - name: verify AllowGroups directive
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" ansible.builtin.command:
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
changed_when: False changed_when: False
failed_when: False failed_when: False
check_mode: no check_mode: no
register: grep_allowgroups_ssh register: grep_allowgroups_ssh
- debug: - ansible.builtin.debug:
var: grep_allowgroups_ssh var: grep_allowgroups_ssh
verbosity: 1 verbosity: 1
- name: verify AllowUsers directive - name: verify AllowUsers directive
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" ansible.builtin.command:
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
changed_when: False changed_when: False
failed_when: False failed_when: False
check_mode: no check_mode: no
register: grep_allowusers_ssh register: grep_allowusers_ssh
- debug: - ansible.builtin.debug:
var: grep_allowusers_ssh var: grep_allowusers_ssh
verbosity: 1 verbosity: 1
- assert: - ansible.builtin.assert:
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
msg: "We can't deal with AllowUsers and AllowGroups at the same time" msg: "We can't deal with AllowUsers and AllowGroups at the same time"
- set_fact: - ansible.builtin.set_fact:
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+", # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}" ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}"
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10" # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}" ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}"
- debug: - ansible.builtin.debug:
var: ssh_allowgroups var: ssh_allowgroups
verbosity: 1 verbosity: 1
- debug: - ansible.builtin.debug:
var: ssh_allowusers var: ssh_allowusers
verbosity: 1 verbosity: 1
- include: ssh_allowgroups.yml - ansible.builtin.include: ssh_allowgroups.yml
when: when:
- ssh_allowgroups - ssh_allowgroups
- not ssh_allowusers - not ssh_allowusers
- include: ssh_allowusers.yml - ansible.builtin.include: ssh_allowusers.yml
vars: vars:
user: "{{ item.value }}" user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}" loop: "{{ evolinux_users | dict2items }}"
@ -55,11 +57,11 @@
- not ssh_allowgroups - not ssh_allowgroups
- name: disable root login - name: disable root login
replace: ansible.builtin.replace:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)' regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no" replace: "PermitRootLogin no"
notify: reload sshd notify: reload sshd
when: evolinux_root_disable_ssh | bool when: evolinux_root_disable_ssh | bool
- meta: flush_handlers - ansible.builtin.meta: flush_handlers

View File

@ -3,14 +3,15 @@
# this check must be repeated for each user # this check must be repeated for each user
# even if it's been done before # even if it's been done before
- name: verify AllowGroups directive - name: verify AllowGroups directive
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" ansible.builtin.command:
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
changed_when: False changed_when: False
failed_when: False failed_when: False
check_mode: no check_mode: no
register: grep_allowgroups_ssh register: grep_allowgroups_ssh
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
lineinfile: ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
line: "\nAllowGroups {{ evolinux_ssh_group }}" line: "\nAllowGroups {{ evolinux_ssh_group }}"
insertafter: 'Subsystem' insertafter: 'Subsystem'
@ -19,7 +20,7 @@
when: grep_allowgroups_ssh.rc != 0 when: grep_allowgroups_ssh.rc != 0
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
replace: ansible.builtin.replace:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
replace: '\1 {{ evolinux_ssh_group }}' replace: '\1 {{ evolinux_ssh_group }}'

View File

@ -3,14 +3,15 @@
# this check must be repeated for each user # this check must be repeated for each user
# even if it's been done before # even if it's been done before
- name: verify AllowUsers directive - name: verify AllowUsers directive
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" ansible.builtin.command:
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
changed_when: False changed_when: False
failed_when: False failed_when: False
check_mode: no check_mode: no
register: grep_allowusers_ssh register: grep_allowusers_ssh
- name: "Add AllowUsers sshd directive with '{{ user.name }}'" - name: "Add AllowUsers sshd directive with '{{ user.name }}'"
lineinfile: ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
line: "\nAllowUsers {{ user.name }}" line: "\nAllowUsers {{ user.name }}"
insertafter: 'Subsystem' insertafter: 'Subsystem'
@ -19,7 +20,7 @@
when: grep_allowusers_ssh.rc != 0 when: grep_allowusers_ssh.rc != 0
- name: "Append '{{ user.name }}' to AllowUsers sshd directive" - name: "Append '{{ user.name }}' to AllowUsers sshd directive"
replace: ansible.builtin.replace:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
replace: '\1 {{ user.name }}' replace: '\1 {{ user.name }}'
@ -28,14 +29,15 @@
when: grep_allowusers_ssh.rc == 0 when: grep_allowusers_ssh.rc == 0
- name: "verify Match User directive" - name: "verify Match User directive"
command: "grep -E '^Match User' /etc/ssh/sshd_config" ansible.builtin.command:
cmd: "grep -E '^Match User' /etc/ssh/sshd_config"
changed_when: False changed_when: False
failed_when: False failed_when: False
check_mode: no check_mode: no
register: grep_matchuser_ssh register: grep_matchuser_ssh
- name: "Add Match User sshd directive with '{{ user.name }}'" - name: "Add Match User sshd directive with '{{ user.name }}'"
lineinfile: ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
@ -44,7 +46,7 @@
when: grep_matchuser_ssh.rc != 0 when: grep_matchuser_ssh.rc != 0
- name: "Append '{{ user.name }}' to Match User's sshd directive" - name: "Append '{{ user.name }}' to Match User's sshd directive"
replace: ansible.builtin.replace:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^(Match User ((?!{{ user.name }}).)*)$' regexp: '^(Match User ((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}' replace: '\1,{{ user.name }}'

Some files were not shown because too many files have changed in this diff Show More