diff --git a/CHANGELOG.md b/CHANGELOG.md index fa4175fb..e8a249ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,7 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: install script according to Debian version * evolinux-base: utils.yml can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) -* evolinux-user: Add sudoers privilege for chck php\_fpm81 +* evolinux-user: Add sudoers privilege for check php\_fpm81 * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified * listupgrade: better detection for PostgreSQL @@ -44,8 +44,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * squid: whitelist deb.freexian.com * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version -* keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) -* openvpn: shellpki upstream release 22.12 +* keepalived: change exit code (warning if running but not on expected state ; critical if not running) +* openvpn: shellpki upstream release 22.12.2 * openvpn: specifies that the mail for expirations is for OpenVPN ### Fixed @@ -55,9 +55,12 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: fix missing state, that blocked the task * proftpd: Fix format of public key files controlled by ansible * proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody) +* openvpn: Fix mode of shellpki script ### Removed +* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream + ### Security ## [22.09] 2022-09-19 diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index 931e9c94..96daa368 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -3,16 +3,13 @@ service: name: apache2 state: restarted - when: not ansible_check_mode - name: reload apache service: name: apache2 state: reloaded - when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted - when: not ansible_check_mode diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index bebd39e9..fd01517c 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -22,7 +22,6 @@ state: present tags: - apache - when: not ansible_check_mode - name: Copy private_htpasswd copy: @@ -45,7 +44,6 @@ notify: reload apache tags: - apache - when: not ansible_check_mode - name: remove user:pwd from private htpasswd lineinfile: @@ -56,4 +54,3 @@ notify: reload apache tags: - apache - when: not ansible_check_mode diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index a40d6075..18f4a681 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -10,7 +10,6 @@ tags: - apache - ips - when: not ansible_check_mode - name: remove IP addresses from private IP whitelist lineinfile: diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index daf59db9..3b0650b7 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -6,7 +6,6 @@ state: present tags: - apache - when: not ansible_check_mode - name: Add log2mail config for Apache segfaults template: diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index f6763278..39c8db24 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -53,7 +53,6 @@ notify: reload apache tags: - apache - when: not ansible_check_mode - name: basic modules are enabled apache2_module: @@ -194,7 +193,6 @@ replace: "{{ apache_logrotate_frequency }}" tags: - apache - when: not ansible_check_mode - name: "logrotate: rotate {{ apache_logrotate_rotate }}" replace: @@ -203,7 +201,6 @@ replace: '\1 {{ apache_logrotate_rotate }}' tags: - apache - when: not ansible_check_mode - include: log2mail.yml when: apache_log2mail_include diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index b9602511..fe07a5cf 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -23,7 +23,6 @@ tags: - apache - munin - when: not ansible_check_mode - name: "Install fcgi packages for Munin graphs" apt: @@ -44,7 +43,6 @@ tags: - apache - munin - when: not ansible_check_mode - name: "Apache has access to /var/log/munin/" file: @@ -53,4 +51,3 @@ tags: - apache - munin - when: not ansible_check_mode diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index fa54090f..efd2b00e 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -26,12 +26,10 @@ changed_when: False check_mode: no register: new_apache_serverstatus_suffix - when: not ansible_check_mode - name: overwrite apache_serverstatus_suffix set_fact: apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}" - when: not ansible_check_mode - debug: var: apache_serverstatus_suffix @@ -42,14 +40,12 @@ dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" - when: not ansible_check_mode - name: add server-status suffix in default site index if missing replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ apache_serverstatus_suffix }}"' - when: not ansible_check_mode - name: add server-status suffix in default VHost replace: @@ -57,14 +53,12 @@ regexp: '' replace: '' notify: reload apache - when: not ansible_check_mode - name: Munin configuration has a section for apache lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "[apache_*]" create: no - when: not ansible_check_mode - name: apache-status URL is configured for Munin lineinfile: @@ -74,4 +68,3 @@ insertafter: "[apache_*]" create: no notify: restart munin-node - when: not ansible_check_mode diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index e29d249f..f71ba552 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -8,7 +8,6 @@ - etc-git when: - ansible_distribution == "Debian" - - not ansible_check_mode - name: Install and configure utilities include: utils.yml @@ -19,6 +18,4 @@ include: repositories.yml tags: - etc-git - when: - - etc_git_config_repositories | bool - - not ansible_check_mode + when: etc_git_config_repositories | bool \ No newline at end of file diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index 27bba9c3..71ff0665 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -34,4 +34,4 @@ - _usr_share_scripts.stat.isdir - ansible_distribution_major_version is version('10', '>=') tags: - - etc-git + - etc-git \ No newline at end of file diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index b1619c03..80987da2 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -22,7 +22,6 @@ value: "root@{{ ansible_fqdn | default('localhost') }}" tags: - etc-git - when: not ansible_check_mode - name: "{{ repository_path }}/.git is restricted to root" file: @@ -50,7 +49,6 @@ loop: "{{ gitignore_items | default([]) }}" tags: - etc-git - when: not ansible_check_mode - name: "does {{ repository_path }}/ have any commit?" command: "git log" @@ -72,4 +70,4 @@ register: git_commit when: git_log.rc != 0 or (git_init is defined and git_init is changed) tags: - - etc-git + - etc-git \ No newline at end of file diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index fb817eb7..1ea11783 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -1,17 +1,14 @@ - name: newaliases command: newaliases - when: not ansible_check_mode - name: Test Apache conf command: apache2ctl -t notify: "Reload Apache conf" - when: not ansible_check_mode - name: reload apache2 service: name: apache2 state: reloaded - when: not ansible_check_mode - name: apt update apt: @@ -21,10 +18,8 @@ service: name: squid3 state: reloaded - when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded - when: not ansible_check_mode diff --git a/evocheck/tasks/exec.yml b/evocheck/tasks/exec.yml index 1338a97b..306cf019 100644 --- a/evocheck/tasks/exec.yml +++ b/evocheck/tasks/exec.yml @@ -10,8 +10,6 @@ - debug: var: evocheck_run.stdout_lines - when: - - not ansible_check_mode - - evocheck_run.stdout | length > 0 + when: evocheck_run.stdout | length > 0 tags: - evocheck-exec diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 4d8905b5..84580b54 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -38,7 +38,6 @@ owner: root group: ssl-cert mode: "0640" - when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index d8a966d8..7ebecc82 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -43,9 +43,7 @@ state: present tags: - packages - when: - - ansible_virtualization_role == "host" - - not ansible_check_mode + when: ansible_virtualization_role == "host" ## RAID # Dell and others: MegaRAID SAS @@ -110,7 +108,6 @@ name: ssacli tags: - packages - when: not ansible_check_mode when: - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - "'Adaptec Smart Storage PQI' in raidmodel.stdout" @@ -137,7 +134,6 @@ state: present tags: - packages - when: not ansible_check_mode - name: cciss-vol-statusd init script is present (HP gen <10) template: @@ -250,7 +246,6 @@ allow_unauthenticated: yes tags: - packages - when: not ansible_check_mode - name: Configure packages for DELL/LSI hardware template: @@ -268,7 +263,6 @@ tags: - packages - config - when: not ansible_check_mode when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 25937b3e..35ce19cf 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -16,7 +16,6 @@ daemon-reload: yes state: started enabled: yes - when: not ansible_check_mode - name: log2mail config is present blockinfile: @@ -33,5 +32,4 @@ notify: restart log2mail tags: - log2mail - when: not ansible_check_mode diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index ad72ed55..b4a1d666 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -89,9 +89,7 @@ apt: name: serveur-base allow_unauthenticated: yes - when: - - evolinux_packages_serveur_base | bool - - not ansible_check_mode + when: evolinux_packages_serveur_base | bool - name: Install/Update packages for Stretch and later apt: diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 53017d1f..6a46548b 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -20,7 +20,6 @@ notify: reload postfix tags: - postfix - when: not ansible_check_mode - name: configure postfix mynetworks lineinfile: @@ -31,7 +30,6 @@ notify: reload postfix tags: - postfix - when: not ansible_check_mode - name: fetch users list shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" @@ -50,9 +48,7 @@ line: "{{ item }}: root" loop: "{{ non_root_users_list.stdout_lines }}" notify: newaliases - when: - - evolinux_postfix_users_alias_root | bool - - not ansible_check_mode + when: evolinux_postfix_users_alias_root | bool tags: - postfix @@ -69,9 +65,7 @@ - error - bounce notify: newaliases - when: - - evolinux_postfix_mailer_alias_root | bool - - not ansible_check_mode + when: evolinux_postfix_mailer_alias_root | bool tags: - postfix @@ -81,9 +75,7 @@ regexp: "^root:" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" notify: newaliases - when: - - evolinux_postfix_root_alias | bool - - not ansible_check_mode + when: evolinux_postfix_root_alias | bool tags: - postfix diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 50af1812..0f8bd480 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -161,7 +161,6 @@ insertafter: EOF line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' when: grep_profile_evomaintenance.rc != 0 - when: not ansible_check_mode # SSH keys @@ -193,6 +192,5 @@ when: - user.ssh_keys is defined - user.ssh_keys | length > 0 - - not ansible_check_mode - meta: flush_handlers diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml index 24378067..9cf3b9cb 100644 --- a/haproxy/handlers/main.yml +++ b/haproxy/handlers/main.yml @@ -3,16 +3,13 @@ service: name: haproxy state: reloaded - when: not ansible_check_mode - name: restart haproxy service: name: haproxy state: restarted - when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted - when: not ansible_check_mode diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index 62664415..d38e83af 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -123,7 +123,6 @@ tags: - haproxy - logrotate - when: not ansible_check_mode - name: Rotate logs with nodelaycompress lineinfile: @@ -134,7 +133,6 @@ tags: - haproxy - logrotate - when: not ansible_check_mode - name: Set net.ipv4.ip_nonlocal_bind sysctl: diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 85211747..64677009 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -10,7 +10,6 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - when: not ansible_check_mode - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 98b2c4d8..b0ff90fe 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -10,7 +10,6 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 6ca43148..91dc38e1 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -10,7 +10,6 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index b841bb67..ad4f35d6 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -4,7 +4,6 @@ changed_when: false check_mode: no register: container_exists - when: not ansible_check_mode - name: "Create container {{ name }}" lxc_container: @@ -14,7 +13,6 @@ state: stopped template_options: "--arch amd64 --release {{ release }}" when: container_exists.stdout_lines | length == 0 - when: not ansible_check_mode - name: "Disable network configuration inside container {{ name }}" replace: @@ -22,14 +20,12 @@ regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no when: lxc_network_type == "none" - when: not ansible_check_mode - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" when: lxc_network_type == "none" and release == "jessie" - when: not ansible_check_mode - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" file: @@ -48,7 +44,6 @@ lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/hosts" line: "127.0.0.1 {{ name }}" - when: not ansible_check_mode - name: "Fix permission on /dev for container {{ name }}" lineinfile: @@ -56,7 +51,6 @@ line: "chmod 755 /dev" insertbefore: "^exit 0$" when: release == 'jessie' - when: not ansible_check_mode - name: "Ensure that {{ name }} container is running" lxc_container: diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 6f9f0875..3ec586bd 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -48,7 +48,6 @@ changed_when: false check_mode: no register: check_fs_options - when: not ansible_check_mode - name: Check if options are correct assert: @@ -57,7 +56,6 @@ - "'noexec' not in check_fs_options.stdout" - "'nosuid' not in check_fs_options.stdout" msg: "LXC directory is in a filesystem with incompatible options" - when: not ansible_check_mode - name: Create containers include: create-container.yml diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index ae38ff4d..b0a1d7a6 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -30,7 +30,6 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no - when: not ansible_check_mode - name: End marker for IP addresses lineinfile: @@ -38,7 +37,6 @@ create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' - when: not ansible_check_mode - name: Verify that at least 1 trusted IP is provided assert: @@ -86,7 +84,6 @@ PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' create: no register: minifirewall_config_ips - when: not ansible_check_mode - name: Begin marker for ports lineinfile: @@ -94,7 +91,6 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no - when: not ansible_check_mode - name: End marker for ports lineinfile: @@ -102,7 +98,6 @@ line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no - when: not ansible_check_mode - name: Configure ports blockinfile: @@ -127,7 +122,6 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' create: no register: minifirewall_config_ports - when: not ansible_check_mode - name: Configure DNSSERVEURS lineinfile: @@ -199,9 +193,7 @@ line: "PROXY='{{ minifirewall_proxy }}'" regexp: "PROXY=('|\").*('|\")" create: no - when: - - minifirewall_proxy is not none - - not ansible_check_mode + when: minifirewall_proxy is not none - name: Configure PROXYPORT lineinfile: @@ -209,9 +201,7 @@ line: "PROXYPORT='{{ minifirewall_proxyport }}'" regexp: "PROXYPORT=('|\").*('|\")" create: no - when: - - minifirewall_proxyport is not none - - not ansible_check_mode + when: minifirewall_proxyport is not none # Warning: keep double quotes for the value, # since we often reference a shell variable that needs to be interpolated @@ -221,9 +211,7 @@ line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\"" regexp: "PROXYBYPASS=('|\").*('|\")" create: no - when: - - minifirewall_proxyport is not none - - not ansible_check_mode + when: minifirewall_proxybypass is not none - name: Configure BACKUPSERVERS lineinfile: @@ -231,9 +219,7 @@ line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'" regexp: "BACKUPSERVERS=('|\").*('|\")" create: no - when: - - minifirewall_backupservers is not none - - not ansible_check_mode + when: minifirewall_backupservers is not none - name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS lineinfile: diff --git a/munin/handlers/main.yml b/munin/handlers/main.yml index 6dcd127d..8654181d 100644 --- a/munin/handlers/main.yml +++ b/munin/handlers/main.yml @@ -4,14 +4,12 @@ service: name: munin-node state: restarted - when: not ansible_check_mode - name: restart munin_node service: name: munin_node state: restarted - when: not ansible_check_mode - name: systemd daemon-reload systemd: - daemon_reload: yes + daemon_reload: yes \ No newline at end of file diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index f4aab7c6..a4ea9a49 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -33,7 +33,6 @@ notify: restart munin-node when: not ansible_hostname == "localdomain" - when: not ansible_check_mode tags: - munin @@ -80,7 +79,6 @@ notify: restart munin-node tags: - munin - when: not ansible_check_mode - name: Enable sensors_ plugin on dedicated hardware file: @@ -94,7 +92,6 @@ notify: restart munin-node tags: - munin - when: not ansible_check_mode - name: Enable ipmi_ plugin on dedicated hardware file: @@ -108,7 +105,6 @@ - temp - power - volts - when: not ansible_check_mode - name: adjustments for grsec kernel blockinfile: diff --git a/mysql/tasks/datadir.yml b/mysql/tasks/datadir.yml index da4af342..c375f5d5 100644 --- a/mysql/tasks/datadir.yml +++ b/mysql/tasks/datadir.yml @@ -43,4 +43,3 @@ - mysql_custom_datadir | length > 0 - mysql_custom_datadir != mysql_current_real_datadir_test.stdout - not mysql_custom_datadir_test.stat.exists - - not ansible_check_mode diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml index 1779667a..bd6ecab2 100644 --- a/mysql/tasks/logdir.yml +++ b/mysql/tasks/logdir.yml @@ -43,4 +43,3 @@ - mysql_custom_logdir | length > 0 - mysql_custom_logdir != mysql_current_real_logdir_test.stdout - not mysql_custom_logdir_test.stat.exists - - not ansible_check_mode diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml index 99c89d8a..652eace7 100644 --- a/mysql/tasks/packages_jessie.yml +++ b/mysql/tasks/packages_jessie.yml @@ -42,7 +42,6 @@ tags: - mysql - services - when: not ansible_check_mode - name: apg package is installed apt: diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 34e4d2b6..880f5050 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -28,7 +28,6 @@ tags: - mysql - services - when: not ansible_check_mode - name: apg package is installed apt: @@ -58,4 +57,4 @@ tags: - mysql - packages - when: ansible_python_version is version('3', '>=') + when: ansible_python_version is version('3', '>=') \ No newline at end of file diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 9ae7fd15..1ac8f2df 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -156,7 +156,6 @@ dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link when: mysql_cron_optimize | bool - when: not ansible_check_mode tags: - mysql @@ -249,4 +248,4 @@ mode: "0755" force: no tags: - - mysql + - mysql \ No newline at end of file diff --git a/nagios-nrpe/handlers/main.yml b/nagios-nrpe/handlers/main.yml index de27314f..25ab29ad 100644 --- a/nagios-nrpe/handlers/main.yml +++ b/nagios-nrpe/handlers/main.yml @@ -4,10 +4,8 @@ service: name: nagios-nrpe-server state: restarted - when: not ansible_check_mode - name: restart nrpe service: name: nrpe state: restarted - when: not ansible_check_mode diff --git a/ntpd/tasks/main.yml b/ntpd/tasks/main.yml index ae4a97c5..2d66d765 100644 --- a/ntpd/tasks/main.yml +++ b/ntpd/tasks/main.yml @@ -21,4 +21,3 @@ notify: restart ntp tags: - ntp - when: not ansible_check_mode diff --git a/openvpn/files/shellpki/openssl.cnf b/openvpn/files/shellpki/openssl.cnf index 5e1e3c83..48ab9bd5 100644 --- a/openvpn/files/shellpki/openssl.cnf +++ b/openvpn/files/shellpki/openssl.cnf @@ -1,4 +1,4 @@ -# VERSION="22.04" +# VERSION="22.12.2" [ ca ] default_ca = CA_default @@ -14,7 +14,7 @@ crl = $dir/crl.pem private_key = $dir/cakey.key RANDFILE = $dir/.rand default_days = 365 -default_crl_days= 365 +default_crl_days= 730 default_md = sha256 preserve = no policy = policy_match diff --git a/openvpn/files/shellpki/shellpki b/openvpn/files/shellpki/shellpki index 5e7169c9..ac1d263d 100755 --- a/openvpn/files/shellpki/shellpki +++ b/openvpn/files/shellpki/shellpki @@ -5,7 +5,7 @@ set -u -VERSION="22.12" +VERSION="22.12.2" show_version() { cat </dev/null" - when: not ansible_check_mode - name: Comment default awstat cron's tasks lineinfile: @@ -57,4 +54,3 @@ line: '#\1' backrefs: yes state: present - when: not ansible_check_mode diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 58b2047c..ff3cd9a7 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -26,7 +26,6 @@ dest: /var/www/index.html line: '
  • Infos PHP
    • ' regexp: "Infos PHP" - when: not ansible_check_mode - name: install opcache.php copy: @@ -39,7 +38,6 @@ dest: /var/www/index.html line: '
  • Infos OpCache PHP
    • ' regexp: "Infos OpCache PHP" - when: not ansible_check_mode - name: Add elements to user account template file: @@ -66,7 +64,6 @@ loop: - access.log - error.log - when: not ansible_check_mode - name: "Install userlogrotate (jessie)" copy: diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 80a6f34a..8a7c9613 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -5,7 +5,6 @@ state: present name: proxy_fcgi notify: restart apache2 - when: not ansible_check_mode - include_role: name: remount-usr diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index 9e894786..f83b0a5d 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -65,12 +65,10 @@ changed_when: False check_mode: no register: new_packweb_phpmyadmin_suffix - when: not ansible_check_mode - name: overwrite packweb_phpmyadmin_suffix set_fact: packweb_phpmyadmin_suffix: "{{ new_packweb_phpmyadmin_suffix.stdout }}" - when: not ansible_check_mode - debug: var: packweb_phpmyadmin_suffix @@ -88,18 +86,15 @@ Require all denied Include /etc/apache2/ipaddr_whitelist.conf - when: not ansible_check_mode - name: enable phpmyadmin link in default site index replace: dest: /var/www/index.html regexp: '' replace: '
  • Accès PhpMyAdmin
    • ' - when: not ansible_check_mode - name: replace phpmyadmin suffix in default site index replace: dest: /var/www/index.html regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ packweb_phpmyadmin_suffix }}" - when: not ansible_check_mode diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 75fe86ba..079a14d5 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -4,28 +4,23 @@ service: name: php5-fpm state: restarted - when: not ansible_check_mode - name: restart php7.0-fpm service: name: php7.0-fpm state: restarted - when: not ansible_check_mode - name: restart php7.3-fpm service: name: php7.3-fpm state: restarted - when: not ansible_check_mode - name: restart php7.4-fpm service: name: php7.4-fpm state: restarted - when: not ansible_check_mode - name: restart php8.1-fpm service: name: php8.1-fpm state: restarted - when: not ansible_check_mode diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index 19030c0c..d327690a 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -25,7 +25,6 @@ file: dest: "{{ php_cli_custom_ini_file }}" mode: "0644" - when: not ansible_check_mode - name: "Set custom values for PHP to enable Symfony" ini_file: @@ -37,4 +36,3 @@ loop: - { option: "date.timezone", value: "Europe/Paris" } when: php_symfony_requirements | bool - when: not ansible_check_mode diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index b9dd9ac2..4dcde767 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -79,14 +79,12 @@ with_items: - /etc/php - /etc/php/{{ php_version }} - when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 12)" file: dest: /etc/php/{{ php_version }}/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -96,7 +94,6 @@ dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable - when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -106,7 +103,6 @@ dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable - when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 7d2d7e11..403a7b76 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -68,14 +68,12 @@ with_items: - /etc/php - /etc/php/7.4 - when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 11)" file: dest: /etc/php/7.4/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -85,7 +83,6 @@ dest: /etc/php/7.4/fpm mode: "0755" when: php_fpm_enable - when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -95,7 +92,6 @@ dest: /etc/php/7.4/apache2 mode: "0755" when: php_apache_enable - when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index ff27e410..2fc4293e 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -68,14 +68,12 @@ loop: - /etc/php - /etc/php/7.3 - when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 10)" file: dest: /etc/php/7.3/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -85,7 +83,6 @@ dest: /etc/php/7.3/fpm mode: "0755" when: php_fpm_enable | bool - when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -95,7 +92,6 @@ dest: /etc/php/7.3/apache2 mode: "0755" when: php_apache_enable | bool - when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index 1082dcf5..75105166 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -56,7 +56,6 @@ file: dest: /etc/php5 mode: "0755" - when: not ansible_check_mode - include: config_cli.yml @@ -64,7 +63,6 @@ file: dest: /etc/php5/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -74,7 +72,6 @@ dest: /etc/php5/fpm mode: "0755" when: php_fpm_enable | bool - when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -84,4 +81,3 @@ dest: /etc/php5/apache2 mode: "0755" when: php_apache_enable | bool - when: not ansible_check_mode diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 6188877c..698621ac 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -68,7 +68,6 @@ loop: - /etc/php - /etc/php/7.0 - when: not ansible_check_mode - include: config_cli.yml @@ -76,7 +75,6 @@ file: dest: /etc/php/7.0/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -86,7 +84,6 @@ dest: /etc/php/7.0/fpm mode: "0755" when: php_fpm_enable | bool - when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -96,7 +93,6 @@ dest: /etc/php/7.0/apache2 mode: "0755" when: php_apache_enable | bool - when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 14ffabab..4e706889 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -14,7 +14,6 @@ file: dest: /etc/php/7.4/cli mode: "0755" - when: not ansible_check_mode - name: Symlink Evolix Apache config files from 7.4 to 7.0 file: @@ -32,7 +31,6 @@ dest: /etc/php/7.4/apache2 mode: "0755" when: php_apache_enable | bool - when: not ansible_check_mode - name: Symlink Evolix FPM config files from 7.4 to 7.0 file: @@ -52,4 +50,3 @@ dest: /etc/php/7.4/fpm mode: "0755" when: php_fpm_enable | bool - when: not ansible_check_mode diff --git a/proftpd/handlers/main.yml b/proftpd/handlers/main.yml index bffa7ede..0914d289 100644 --- a/proftpd/handlers/main.yml +++ b/proftpd/handlers/main.yml @@ -3,4 +3,3 @@ service: name: proftpd state: restarted - when: not ansible_check_mode diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index f29fbd81..f45958a9 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -70,7 +70,6 @@ notify: restart proftpd tags: - proftpd - when: not ansible_check_mode - name: Put empty vpasswd file if missing copy: @@ -93,7 +92,6 @@ notify: restart proftpd tags: - proftpd - when: not ansible_check_mode - include: accounts.yml when: proftpd_accounts | length > 0 diff --git a/squid/handlers/main.yml b/squid/handlers/main.yml index 675a9dbd..4f5329b9 100644 --- a/squid/handlers/main.yml +++ b/squid/handlers/main.yml @@ -3,38 +3,31 @@ service: name: munin-node state: restarted - when: not ansible_check_mode - name: restart squid service: name: squid state: restarted - when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded - when: not ansible_check_mode - name: restart squid3 service: name: squid3 state: restarted - when: not ansible_check_mode - name: reload squid3 service: name: squid3 state: reloaded - when: not ansible_check_mode - name: restart log2mail service: name: log2mail state: restarted - when: not ansible_check_mode - name: restart minifirewall command: /etc/init.d/minifirewall restart - when: not ansible_check_mode diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 540e56d9..4a3cab4d 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -121,7 +121,6 @@ when: - squid_localproxy_enable | bool - ansible_distribution_major_version is version('9', '>=') - - not ansible_check_mode - name: "evolinux custom overrides (Debian 9 or later)" copy: diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index 074b38fb..98f275ff 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -10,4 +10,3 @@ remote_src: False src: ftp/evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf - when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index d9589548..1acb2aa5 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -3,9 +3,7 @@ - name: "Ensure that evoadmin_contact_email is defined" fail: msg: Please configure var evoadmin_contact_email - when: - - evoadmin_contact_email is none or evoadmin_contact_email | length == 0 - - not ansible_check_mode + when: evoadmin_contact_email is none or evoadmin_contact_email | length == 0 - include: packages.yml @@ -25,4 +23,3 @@ marker: "" block: |
  • Interface admin web (EvoAdmin-web)
    • - when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml index eb7a31cd..6bdf1421 100644 --- a/webapps/evoadmin-web/tasks/ssl.yml +++ b/webapps/evoadmin-web/tasks/ssl.yml @@ -17,7 +17,6 @@ owner: root group: ssl-cert mode: "0640" - when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index fa61b830..bbad1b8f 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -54,9 +54,7 @@ dest: "{{ evoadmin_document_root }}" version: jessie update: False - when: - - ansible_distribution_release == "jessie" - - not ansible_check_mode + when: ansible_distribution_release == "jessie" - name: "Clone evoadmin repository (Debian 9 or later)" git: @@ -64,9 +62,7 @@ dest: "{{ evoadmin_document_root }}" version: master update: False - when: - - ansible_distribution_major_version is version('9', '>=') - - not ansible_check_mode + when: ansible_distribution_major_version is version('9', '>=') - name: Change ownership on git repository file: