diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index 96daa368..931e9c94 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -3,13 +3,16 @@ service: name: apache2 state: restarted + when: not ansible_check_mode - name: reload apache service: name: apache2 state: reloaded + when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted + when: not ansible_check_mode diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index fd01517c..0c8322a9 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -14,7 +14,12 @@ - name: Load IP whitelist task include: ip_whitelist.yml -- name: include private IP whitelist for server-status +- name: Is status.conf present? + stat: + path: /etc/apache2/mods-available/status.conf + register: _status_conf + +- name: Include private IP whitelist for server-status lineinfile: dest: /etc/apache2/mods-available/status.conf line: " include /etc/apache2/ipaddr_whitelist.conf" @@ -22,6 +27,7 @@ state: present tags: - apache + when: _status_conf.stat.exists or not ansible_check_mode - name: Copy private_htpasswd copy: @@ -35,6 +41,11 @@ tags: - apache +- name: Is private_htpasswd present? + stat: + path: /etc/apache2/private_htpasswd + register: _private_htpasswd + - name: add user:pwd to private htpasswd lineinfile: dest: /etc/apache2/private_htpasswd @@ -44,6 +55,7 @@ notify: reload apache tags: - apache + when: _private_htpasswd.stat.exists or not ansible_check_mode - name: remove user:pwd from private htpasswd lineinfile: @@ -54,3 +66,4 @@ notify: reload apache tags: - apache + when: _private_htpasswd.stat.exists or not ansible_check_mode diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index 18f4a681..fc576a44 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -1,6 +1,11 @@ --- -- name: add IP addresses to private IP whitelist +- name: Is ipaddr_whitelist.conf present? + stat: + path: /etc/apache2/ipaddr_whitelist.conf + register: _ipaddr_whitelist_conf + +- name: Add IP addresses to private IP whitelist lineinfile: dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" @@ -10,8 +15,9 @@ tags: - apache - ips + when: _ipaddr_whitelist_conf.stat.exists or not ansible_check_mode -- name: remove IP addresses from private IP whitelist +- name: Remove IP addresses from private IP whitelist lineinfile: dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index 3b0650b7..daf59db9 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -6,6 +6,7 @@ state: present tags: - apache + when: not ansible_check_mode - name: Add log2mail config for Apache segfaults template: diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 1a028205..efc7b30b 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -53,6 +53,7 @@ notify: reload apache tags: - apache + when: not ansible_check_mode - name: basic modules are enabled apache2_module: @@ -61,7 +62,9 @@ loop: - cgi notify: reload apache - when: apache_mpm == "prefork" or apache_mpm == "itk" + when: + - apache_mpm == "prefork" or apache_mpm == "itk" + - not ansible_check_mode tags: - apache @@ -123,14 +126,21 @@ tags: - apache -- name: default vhost is enabled +- name: Is 000-evolinux-default.conf present? + stat: + path: /etc/apache2/sites-available/000-evolinux-default.conf + register: _000_evolinux_default_conf + +- name: Default vhost is enabled file: src: /etc/apache2/sites-available/000-evolinux-default.conf dest: /etc/apache2/sites-enabled/000-default.conf state: link force: yes notify: reload apache - when: apache_evolinux_default_enabled | bool + when: + - apache_evolinux_default_enabled | bool + - _000_evolinux_default_conf.stat.exists or not ansible_check_mode tags: - apache @@ -138,7 +148,7 @@ tags: - apache -- name: is umask already present? +- name: Is umask already present? command: "grep -E '^umask ' /etc/apache2/envvars" failed_when: False changed_when: False @@ -147,6 +157,11 @@ tags: - apache +- name: Is envvars present? + stat: + path: /etc/apache2/envvars + register: _envvars + - name: Add a mark in envvars for umask blockinfile: dest: /etc/apache2/envvars @@ -155,7 +170,9 @@ ## Set umask for writing by Apache user. ## Set rights on files and directories written by Apache umask 007 - when: envvar_grep_umask.rc != 0 + when: + - envvar_grep_umask.rc != 0 + - _envvars.stat.exists or not ansible_check_mode tags: - apache @@ -183,6 +200,11 @@ tags: - apache +- name: Is logrotate.d/apache2 present? + stat: + path: /etc/logrotate.d/apache2 + register: _logrotate_d_apache2 + - name: "logrotate: {{ apache_logrotate_frequency }}" replace: dest: /etc/logrotate.d/apache2 @@ -190,6 +212,7 @@ replace: "{{ apache_logrotate_frequency }}" tags: - apache + when: _logrotate_d_apache2.stat.exists or not ansible_check_mode - name: "logrotate: rotate {{ apache_logrotate_rotate }}" replace: @@ -198,6 +221,7 @@ replace: '\1 {{ apache_logrotate_rotate }}' tags: - apache + when: _logrotate_d_apache2.stat.exists or not ansible_check_mode - include: log2mail.yml when: apache_log2mail_include diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index fe07a5cf..b9602511 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -23,6 +23,7 @@ tags: - apache - munin + when: not ansible_check_mode - name: "Install fcgi packages for Munin graphs" apt: @@ -43,6 +44,7 @@ tags: - apache - munin + when: not ansible_check_mode - name: "Apache has access to /var/log/munin/" file: @@ -51,3 +53,4 @@ tags: - apache - munin + when: not ansible_check_mode diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index efd2b00e..77c065f8 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -21,15 +21,22 @@ args: creates: "{{ apache_serverstatus_suffix_file }}" +- name: Is apache_serverstatus_suffix_file present? + stat: + path: "{{ apache_serverstatus_suffix_file }}" + register: _apache_serverstatus_suffix_file + - name: read apache server status suffix command: "tail -n 1 {{ apache_serverstatus_suffix_file }}" changed_when: False check_mode: no register: new_apache_serverstatus_suffix + when: _apache_serverstatus_suffix_file.stat.exists or not ansible_check_mode - name: overwrite apache_serverstatus_suffix set_fact: apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}" + when: _apache_serverstatus_suffix_file.stat.exists or not ansible_check_mode - debug: var: apache_serverstatus_suffix @@ -40,12 +47,14 @@ dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" + when: _apache_serverstatus_suffix_file.stat.exists or not ansible_check_mode - name: add server-status suffix in default site index if missing replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ apache_serverstatus_suffix }}"' + when: _apache_serverstatus_suffix_file.stat.exists or not ansible_check_mode - name: add server-status suffix in default VHost replace: @@ -53,12 +62,19 @@ regexp: '' replace: '' notify: reload apache + when: _apache_serverstatus_suffix_file.stat.exists or not ansible_check_mode + +- name: Is munin-node present? + stat: + path: /etc/munin/plugin-conf.d/munin-node + register: _munin_node - name: Munin configuration has a section for apache lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "[apache_*]" create: no + when: _munin_node.stat.exists or not ansible_check_mode - name: apache-status URL is configured for Munin lineinfile: @@ -68,3 +84,4 @@ insertafter: "[apache_*]" create: no notify: restart munin-node + when: _munin_node.stat.exists or not ansible_check_mode diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index f71ba552..455953b0 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -8,14 +8,22 @@ - etc-git when: - ansible_distribution == "Debian" + - not ansible_check_mode - name: Install and configure utilities include: utils.yml tags: - etc-git +- name: Is git present? + stat: + path: /usr/bin/git + register: _git + - name: Configure repositories include: repositories.yml tags: - etc-git - when: etc_git_config_repositories | bool \ No newline at end of file + when: + - etc_git_config_repositories | bool + - _git.stat.exists or not ansible_check_mode diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index 1ea11783..fb817eb7 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -1,14 +1,17 @@ - name: newaliases command: newaliases + when: not ansible_check_mode - name: Test Apache conf command: apache2ctl -t notify: "Reload Apache conf" + when: not ansible_check_mode - name: reload apache2 service: name: apache2 state: reloaded + when: not ansible_check_mode - name: apt update apt: @@ -18,8 +21,10 @@ service: name: squid3 state: reloaded + when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded + when: not ansible_check_mode diff --git a/evocheck/tasks/exec.yml b/evocheck/tasks/exec.yml index 306cf019..1338a97b 100644 --- a/evocheck/tasks/exec.yml +++ b/evocheck/tasks/exec.yml @@ -10,6 +10,8 @@ - debug: var: evocheck_run.stdout_lines - when: evocheck_run.stdout | length > 0 + when: + - not ansible_check_mode + - evocheck_run.stdout | length > 0 tags: - evocheck-exec diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 84580b54..4d8905b5 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -38,6 +38,7 @@ owner: root group: ssl-cert mode: "0640" + when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 7ebecc82..d8a966d8 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -43,7 +43,9 @@ state: present tags: - packages - when: ansible_virtualization_role == "host" + when: + - ansible_virtualization_role == "host" + - not ansible_check_mode ## RAID # Dell and others: MegaRAID SAS @@ -108,6 +110,7 @@ name: ssacli tags: - packages + when: not ansible_check_mode when: - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - "'Adaptec Smart Storage PQI' in raidmodel.stdout" @@ -134,6 +137,7 @@ state: present tags: - packages + when: not ansible_check_mode - name: cciss-vol-statusd init script is present (HP gen <10) template: @@ -246,6 +250,7 @@ allow_unauthenticated: yes tags: - packages + when: not ansible_check_mode - name: Configure packages for DELL/LSI hardware template: @@ -263,6 +268,7 @@ tags: - packages - config + when: not ansible_check_mode when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 35ce19cf..36a37483 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -16,6 +16,12 @@ daemon-reload: yes state: started enabled: yes + when: not ansible_check_mode + +- name: Is log2mail/config/default present? + stat: + path: /etc/log2mail/config/default + register: _log2mail_config_default - name: log2mail config is present blockinfile: @@ -32,4 +38,5 @@ notify: restart log2mail tags: - log2mail + when: _log2mail_config_default.stat.exists or not ansible_check_mode diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index b4a1d666..ad72ed55 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -89,7 +89,9 @@ apt: name: serveur-base allow_unauthenticated: yes - when: evolinux_packages_serveur_base | bool + when: + - evolinux_packages_serveur_base | bool + - not ansible_check_mode - name: Install/Update packages for Stretch and later apt: diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 6a46548b..ca9b72f5 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -11,6 +11,11 @@ - packages - postfix +- name: Is main.cf present? + stat: + path: /etc/postfix/main.cf + register: _main_cf + - name: configure postfix myhostname lineinfile: dest: /etc/postfix/main.cf @@ -20,6 +25,7 @@ notify: reload postfix tags: - postfix + when: _main_cf.stat.exists or not ansible_check_mode - name: configure postfix mynetworks lineinfile: @@ -30,6 +36,7 @@ notify: reload postfix tags: - postfix + when: _main_cf.stat.exists or not ansible_check_mode - name: fetch users list shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" @@ -41,6 +48,11 @@ tags: - postfix +- name: Is aliases present? + stat: + path: /etc/aliases + register: _aliases + - name: each user is aliased to root lineinfile: dest: /etc/aliases @@ -48,7 +60,9 @@ line: "{{ item }}: root" loop: "{{ non_root_users_list.stdout_lines }}" notify: newaliases - when: evolinux_postfix_users_alias_root | bool + when: + - evolinux_postfix_users_alias_root | bool + - _aliases.stat.exists or not ansible_check_mode tags: - postfix @@ -65,7 +79,9 @@ - error - bounce notify: newaliases - when: evolinux_postfix_mailer_alias_root | bool + when: + - evolinux_postfix_mailer_alias_root | bool + - _aliases.stat.exists or not ansible_check_mode tags: - postfix @@ -75,7 +91,9 @@ regexp: "^root:" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" notify: newaliases - when: evolinux_postfix_root_alias | bool + when: + - evolinux_postfix_root_alias | bool + - _aliases.stat.exists or not ansible_check_mode tags: - postfix diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 0f8bd480..1c18f935 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -154,13 +154,21 @@ register: grep_profile_evomaintenance ## Don't add the trap if it is present or commented + +- name: "Is '/home/{{ user.name }}' present?" + stat: + path: '/home/{{ user.name }}' + register: _home_user_name + - name: "User '{{ user.name }}' has its shell trap for evomaintenance" lineinfile: state: present dest: '/home/{{ user.name }}/.profile' insertafter: EOF line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - when: grep_profile_evomaintenance.rc != 0 + when: + - grep_profile_evomaintenance.rc != 0 + - _home_user_name.stat.exists or not ansible_check_mode # SSH keys @@ -192,5 +200,6 @@ when: - user.ssh_keys is defined - user.ssh_keys | length > 0 + - _home_user_name.stat.exists or not ansible_check_mode - meta: flush_handlers diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml index 9cf3b9cb..24378067 100644 --- a/haproxy/handlers/main.yml +++ b/haproxy/handlers/main.yml @@ -3,13 +3,16 @@ service: name: haproxy state: reloaded + when: not ansible_check_mode - name: restart haproxy service: name: haproxy state: restarted + when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted + when: not ansible_check_mode diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index d38e83af..831e8ef0 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -114,6 +114,11 @@ - config - update-config +- name: Is haproxy.cfg present? + stat: + path: /etc/haproxy/haproxy.cfg + register: _haproxy_cfg + - name: Rotate logs with dateext lineinfile: dest: /etc/logrotate.d/haproxy @@ -123,6 +128,12 @@ tags: - haproxy - logrotate + when: _haproxy_cfg.stat.exists or not ansible_check_mode + +- name: Is logrotate.d/haproxy present? + stat: + path: /etc/logrotate.d/haproxy + register: _logrotate_d_haproxy - name: Rotate logs with nodelaycompress lineinfile: @@ -133,6 +144,7 @@ tags: - haproxy - logrotate + when: _logrotate_d_haproxy.stat.exists or not ansible_check_mode - name: Set net.ipv4.ip_nonlocal_bind sysctl: diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 64677009..7703ac60 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -5,11 +5,17 @@ name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" +- name: "Is sources.list present?" + stat: + path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" + register: _sources_list + - name: "{{ lxc_php_version }} - fix bullseye repository" replace: dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' + when: _sources_list.stat.exists or not ansible_check_mode - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index b0ff90fe..31f327b9 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -5,11 +5,17 @@ name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg" +- name: "Is sources.list present?" + stat: + path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" + register: _sources_list + - name: "{{ lxc_php_version }} - fix bullseye repository" replace: dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' + when: _sources_list.stat.exists or not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 91dc38e1..149f1ff6 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -5,11 +5,17 @@ name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg" +- name: "Is sources.list present?" + stat: + path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" + register: _sources_list + - name: "{{ lxc_php_version }} - fix bullseye repository" replace: dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' + when: _sources_list.stat.exists or not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index ad4f35d6..7a28f499 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -1,9 +1,16 @@ --- + +- name: Is lxc installed? + stat: + path: /usr/bin/lxc-ls + register: _lxc_ls + - name: "Check if container {{ name }} exists" command: "lxc-ls {{ name }}" changed_when: false check_mode: no register: container_exists + when: _lxc_ls.stat.exists or not ansible_check_mode - name: "Create container {{ name }}" lxc_container: @@ -12,20 +19,31 @@ template: debian state: stopped template_options: "--arch amd64 --release {{ release }}" - when: container_exists.stdout_lines | length == 0 + when: + - container_exists.stdout_lines | length == 0 + - _lxc_container.stat.exists or not ansible_check_mode + +- name: "Is container {{ name }} created?" + stat: + path: "/var/lib/lxc/{{ name }}" + register: _lxc_container - name: "Disable network configuration inside container {{ name }}" replace: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/networking" regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no - when: lxc_network_type == "none" + when: + - lxc_network_type == "none" + - _lxc_container.stat.exists or not ansible_check_mode - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" - when: lxc_network_type == "none" and release == "jessie" + when: + - lxc_network_type == "none" and release == "jessie" + - _lxc_container.stat.exists or not ansible_check_mode - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" file: @@ -44,13 +62,16 @@ lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/hosts" line: "127.0.0.1 {{ name }}" + when: _lxc_container.stat.exists or not ansible_check_mode - name: "Fix permission on /dev for container {{ name }}" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/rc.local" line: "chmod 755 /dev" insertbefore: "^exit 0$" - when: release == 'jessie' + when: + - release == 'jessie' + - _lxc_container.stat.exists or not ansible_check_mode - name: "Ensure that {{ name }} container is running" lxc_container: diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 3ec586bd..b929099a 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -43,11 +43,17 @@ - lxc_unprivilegied_containers | bool - root_subuids.rc != 0 +- name: Is lxc present? + stat: + path: /var/lib/lxc + register: _lib_lxc + - name: Get filesystem options command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS changed_when: false check_mode: no register: check_fs_options + when: _lib_lxc.stat.exists or not ansible_check_mode - name: Check if options are correct assert: @@ -56,6 +62,7 @@ - "'noexec' not in check_fs_options.stdout" - "'nosuid' not in check_fs_options.stdout" msg: "LXC directory is in a filesystem with incompatible options" + when: _lib_lxc.stat.exists or not ansible_check_mode - name: Create containers include: create-container.yml diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index b0a1d7a6..c78468fc 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -24,12 +24,18 @@ var: minifirewall_is_running verbosity: 1 +- name: Is minifirewall present? + stat: + path: /etc/default/minifirewall + register: _minifirewall + - name: Begin marker for IP addresses lineinfile: dest: "/etc/default/minifirewall" line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no + when: _minifirewall.stat.exists or not ansible_check_mode - name: End marker for IP addresses lineinfile: @@ -37,6 +43,7 @@ create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' + when: _minifirewall.stat.exists or not ansible_check_mode - name: Verify that at least 1 trusted IP is provided assert: @@ -84,6 +91,7 @@ PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' create: no register: minifirewall_config_ips + when: _minifirewall.stat.exists or not ansible_check_mode - name: Begin marker for ports lineinfile: @@ -91,6 +99,7 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no + when: _minifirewall.stat.exists or not ansible_check_mode - name: End marker for ports lineinfile: @@ -98,6 +107,7 @@ line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no + when: _minifirewall.stat.exists or not ansible_check_mode - name: Configure ports blockinfile: @@ -122,6 +132,7 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' create: no register: minifirewall_config_ports + when: _minifirewall.stat.exists or not ansible_check_mode - name: Configure DNSSERVEURS lineinfile: @@ -193,7 +204,9 @@ line: "PROXY='{{ minifirewall_proxy }}'" regexp: "PROXY=('|\").*('|\")" create: no - when: minifirewall_proxy is not none + when: + - minifirewall_proxy is not none + - _minifirewall.stat.exists or not ansible_check_mode - name: Configure PROXYPORT lineinfile: @@ -201,7 +214,9 @@ line: "PROXYPORT='{{ minifirewall_proxyport }}'" regexp: "PROXYPORT=('|\").*('|\")" create: no - when: minifirewall_proxyport is not none + when: + - minifirewall_proxyport is not none + - _minifirewall.stat.exists or not ansible_check_mode # Warning: keep double quotes for the value, # since we often reference a shell variable that needs to be interpolated @@ -211,7 +226,9 @@ line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\"" regexp: "PROXYBYPASS=('|\").*('|\")" create: no - when: minifirewall_proxybypass is not none + when: + - minifirewall_proxyport is not none + - _minifirewall.stat.exists or not ansible_check_mode - name: Configure BACKUPSERVERS lineinfile: @@ -219,7 +236,9 @@ line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'" regexp: "BACKUPSERVERS=('|\").*('|\")" create: no - when: minifirewall_backupservers is not none + when: + - minifirewall_backupservers is not none + - _minifirewall.stat.exists or not ansible_check_mode - name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS lineinfile: diff --git a/munin/handlers/main.yml b/munin/handlers/main.yml index 8654181d..6dcd127d 100644 --- a/munin/handlers/main.yml +++ b/munin/handlers/main.yml @@ -4,12 +4,14 @@ service: name: munin-node state: restarted + when: not ansible_check_mode - name: restart munin_node service: name: munin_node state: restarted + when: not ansible_check_mode - name: systemd daemon-reload systemd: - daemon_reload: yes \ No newline at end of file + daemon_reload: yes diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index a4ea9a49..93f50e07 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -32,7 +32,9 @@ removes: /var/lib/munin/localdomain notify: restart munin-node - when: not ansible_hostname == "localdomain" + when: + - not ansible_hostname == "localdomain" + - not ansible_check_mode tags: - munin @@ -79,6 +81,7 @@ notify: restart munin-node tags: - munin + when: not ansible_check_mode - name: Enable sensors_ plugin on dedicated hardware file: @@ -92,6 +95,7 @@ notify: restart munin-node tags: - munin + when: not ansible_check_mode - name: Enable ipmi_ plugin on dedicated hardware file: @@ -105,6 +109,7 @@ - temp - power - volts + when: not ansible_check_mode - name: adjustments for grsec kernel blockinfile: diff --git a/mysql/tasks/datadir.yml b/mysql/tasks/datadir.yml index c375f5d5..da4af342 100644 --- a/mysql/tasks/datadir.yml +++ b/mysql/tasks/datadir.yml @@ -43,3 +43,4 @@ - mysql_custom_datadir | length > 0 - mysql_custom_datadir != mysql_current_real_datadir_test.stdout - not mysql_custom_datadir_test.stat.exists + - not ansible_check_mode diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml index bd6ecab2..1779667a 100644 --- a/mysql/tasks/logdir.yml +++ b/mysql/tasks/logdir.yml @@ -43,3 +43,4 @@ - mysql_custom_logdir | length > 0 - mysql_custom_logdir != mysql_current_real_logdir_test.stdout - not mysql_custom_logdir_test.stat.exists + - not ansible_check_mode diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml index 652eace7..99c89d8a 100644 --- a/mysql/tasks/packages_jessie.yml +++ b/mysql/tasks/packages_jessie.yml @@ -42,6 +42,7 @@ tags: - mysql - services + when: not ansible_check_mode - name: apg package is installed apt: diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 880f5050..34e4d2b6 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -28,6 +28,7 @@ tags: - mysql - services + when: not ansible_check_mode - name: apg package is installed apt: @@ -57,4 +58,4 @@ tags: - mysql - packages - when: ansible_python_version is version('3', '>=') \ No newline at end of file + when: ansible_python_version is version('3', '>=') diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 1ac8f2df..e3fe76da 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -155,7 +155,9 @@ src: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link - when: mysql_cron_optimize | bool + when: + - mysql_cron_optimize | bool + - not ansible_check_mode tags: - mysql @@ -248,4 +250,4 @@ mode: "0755" force: no tags: - - mysql \ No newline at end of file + - mysql diff --git a/nagios-nrpe/handlers/main.yml b/nagios-nrpe/handlers/main.yml index 25ab29ad..de27314f 100644 --- a/nagios-nrpe/handlers/main.yml +++ b/nagios-nrpe/handlers/main.yml @@ -4,8 +4,10 @@ service: name: nagios-nrpe-server state: restarted + when: not ansible_check_mode - name: restart nrpe service: name: nrpe state: restarted + when: not ansible_check_mode diff --git a/ntpd/tasks/main.yml b/ntpd/tasks/main.yml index 2d66d765..ae4a97c5 100644 --- a/ntpd/tasks/main.yml +++ b/ntpd/tasks/main.yml @@ -21,3 +21,4 @@ notify: restart ntp tags: - ntp + when: not ansible_check_mode diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 96c11e3a..c2efd93f 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -14,7 +14,9 @@ block: | # Used for Evoadmin-web export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - when: envvar_grep_path.rc != 0 + when: + - envvar_grep_path.rc != 0 + - not ansible_check_mode - name: Additional packages are installed apt: @@ -34,6 +36,7 @@ - negotiation - alias - log_forensic + when: not ansible_check_mode - name: Copy Apache settings for modules copy: @@ -60,3 +63,4 @@ loop: - evolinux-evasive - evolinux-modsec + when: not ansible_check_mode diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index 5ea0fa57..a423aaf8 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -22,6 +22,7 @@ AllowFullYearView=3 ErrorMessages="An error occured. Contact your Administrator" mode: "0644" + when: not ansible_check_mode - name: Create conf-available/awstats-icon.conf file copy: @@ -39,6 +40,7 @@ register: command_result changed_when: "'Enabling' in command_result.stderr" notify: reload apache + when: not ansible_check_mode - name: Create awstats cron lineinfile: @@ -46,6 +48,7 @@ create: yes regexp: '-config=awstats' line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" + when: not ansible_check_mode - name: Comment default awstat cron's tasks lineinfile: @@ -54,3 +57,4 @@ line: '#\1' backrefs: yes state: present + when: not ansible_check_mode diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index ff3cd9a7..58b2047c 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -26,6 +26,7 @@ dest: /var/www/index.html line: '
  • Infos PHP
    • ' regexp: "Infos PHP" + when: not ansible_check_mode - name: install opcache.php copy: @@ -38,6 +39,7 @@ dest: /var/www/index.html line: '
  • Infos OpCache PHP
    • ' regexp: "Infos OpCache PHP" + when: not ansible_check_mode - name: Add elements to user account template file: @@ -64,6 +66,7 @@ loop: - access.log - error.log + when: not ansible_check_mode - name: "Install userlogrotate (jessie)" copy: diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 8a7c9613..80a6f34a 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -5,6 +5,7 @@ state: present name: proxy_fcgi notify: restart apache2 + when: not ansible_check_mode - include_role: name: remount-usr diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index f83b0a5d..9e894786 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -65,10 +65,12 @@ changed_when: False check_mode: no register: new_packweb_phpmyadmin_suffix + when: not ansible_check_mode - name: overwrite packweb_phpmyadmin_suffix set_fact: packweb_phpmyadmin_suffix: "{{ new_packweb_phpmyadmin_suffix.stdout }}" + when: not ansible_check_mode - debug: var: packweb_phpmyadmin_suffix @@ -86,15 +88,18 @@ Require all denied Include /etc/apache2/ipaddr_whitelist.conf + when: not ansible_check_mode - name: enable phpmyadmin link in default site index replace: dest: /var/www/index.html regexp: '' replace: '
  • Accès PhpMyAdmin
    • ' + when: not ansible_check_mode - name: replace phpmyadmin suffix in default site index replace: dest: /var/www/index.html regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ packweb_phpmyadmin_suffix }}" + when: not ansible_check_mode diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 079a14d5..75fe86ba 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -4,23 +4,28 @@ service: name: php5-fpm state: restarted + when: not ansible_check_mode - name: restart php7.0-fpm service: name: php7.0-fpm state: restarted + when: not ansible_check_mode - name: restart php7.3-fpm service: name: php7.3-fpm state: restarted + when: not ansible_check_mode - name: restart php7.4-fpm service: name: php7.4-fpm state: restarted + when: not ansible_check_mode - name: restart php8.1-fpm service: name: php8.1-fpm state: restarted + when: not ansible_check_mode diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index d327690a..e4fac4a7 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -25,6 +25,7 @@ file: dest: "{{ php_cli_custom_ini_file }}" mode: "0644" + when: not ansible_check_mode - name: "Set custom values for PHP to enable Symfony" ini_file: @@ -35,4 +36,6 @@ mode: "0644" loop: - { option: "date.timezone", value: "Europe/Paris" } - when: php_symfony_requirements | bool + when: + - php_symfony_requirements | bool + - not ansible_check_mode diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 4dcde767..49c91719 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -79,12 +79,14 @@ with_items: - /etc/php - /etc/php/{{ php_version }} + when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 12)" file: dest: /etc/php/{{ php_version }}/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -93,7 +95,9 @@ file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" - when: php_fpm_enable + when: + - php_fpm_enable + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -102,7 +106,9 @@ file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" - when: php_apache_enable + when: + - php_apache_enable + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 403a7b76..9b1fdf33 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -68,12 +68,14 @@ with_items: - /etc/php - /etc/php/7.4 + when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 11)" file: dest: /etc/php/7.4/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -82,7 +84,9 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: php_fpm_enable + when: + - php_fpm_enable + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -91,7 +95,9 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: php_apache_enable + when: + - php_apache_enable + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 2fc4293e..eff2dc8f 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -68,12 +68,14 @@ loop: - /etc/php - /etc/php/7.3 + when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 10)" file: dest: /etc/php/7.3/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -82,7 +84,9 @@ file: dest: /etc/php/7.3/fpm mode: "0755" - when: php_fpm_enable | bool + when: + - php_fpm_enable | bool + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -91,7 +95,9 @@ file: dest: /etc/php/7.3/apache2 mode: "0755" - when: php_apache_enable | bool + when: + - php_apache_enable | bool + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index 75105166..a5aecdb7 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -56,6 +56,7 @@ file: dest: /etc/php5 mode: "0755" + when: not ansible_check_mode - include: config_cli.yml @@ -63,6 +64,7 @@ file: dest: /etc/php5/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -71,7 +73,9 @@ file: dest: /etc/php5/fpm mode: "0755" - when: php_fpm_enable | bool + when: + - php_fpm_enable | bool + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -80,4 +84,6 @@ file: dest: /etc/php5/apache2 mode: "0755" - when: php_apache_enable | bool + when: + - php_apache_enable | bool + - not ansible_check_mode diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 698621ac..6934fa6a 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -68,6 +68,7 @@ loop: - /etc/php - /etc/php/7.0 + when: not ansible_check_mode - include: config_cli.yml @@ -75,6 +76,7 @@ file: dest: /etc/php/7.0/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -83,7 +85,9 @@ file: dest: /etc/php/7.0/fpm mode: "0755" - when: php_fpm_enable | bool + when: + - php_fpm_enable | bool + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -92,7 +96,9 @@ file: dest: /etc/php/7.0/apache2 mode: "0755" - when: php_apache_enable | bool + when: + - php_apache_enable | bool + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 4e706889..6855214b 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -14,6 +14,7 @@ file: dest: /etc/php/7.4/cli mode: "0755" + when: not ansible_check_mode - name: Symlink Evolix Apache config files from 7.4 to 7.0 file: @@ -30,7 +31,9 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: php_apache_enable | bool + when: + - php_apache_enable | bool + - not ansible_check_mode - name: Symlink Evolix FPM config files from 7.4 to 7.0 file: @@ -49,4 +52,6 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: php_fpm_enable | bool + when: + - php_fpm_enable | bool + - not ansible_check_mode diff --git a/proftpd/handlers/main.yml b/proftpd/handlers/main.yml index 0914d289..bffa7ede 100644 --- a/proftpd/handlers/main.yml +++ b/proftpd/handlers/main.yml @@ -3,3 +3,4 @@ service: name: proftpd state: restarted + when: not ansible_check_mode diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index f45958a9..f29fbd81 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -70,6 +70,7 @@ notify: restart proftpd tags: - proftpd + when: not ansible_check_mode - name: Put empty vpasswd file if missing copy: @@ -92,6 +93,7 @@ notify: restart proftpd tags: - proftpd + when: not ansible_check_mode - include: accounts.yml when: proftpd_accounts | length > 0 diff --git a/squid/handlers/main.yml b/squid/handlers/main.yml index 4f5329b9..675a9dbd 100644 --- a/squid/handlers/main.yml +++ b/squid/handlers/main.yml @@ -3,31 +3,38 @@ service: name: munin-node state: restarted + when: not ansible_check_mode - name: restart squid service: name: squid state: restarted + when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded + when: not ansible_check_mode - name: restart squid3 service: name: squid3 state: restarted + when: not ansible_check_mode - name: reload squid3 service: name: squid3 state: reloaded + when: not ansible_check_mode - name: restart log2mail service: name: log2mail state: restarted + when: not ansible_check_mode - name: restart minifirewall command: /etc/init.d/minifirewall restart + when: not ansible_check_mode diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 4a3cab4d..540e56d9 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -121,6 +121,7 @@ when: - squid_localproxy_enable | bool - ansible_distribution_major_version is version('9', '>=') + - not ansible_check_mode - name: "evolinux custom overrides (Debian 9 or later)" copy: diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index 98f275ff..074b38fb 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -10,3 +10,4 @@ remote_src: False src: ftp/evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf + when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index 1acb2aa5..d9589548 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -3,7 +3,9 @@ - name: "Ensure that evoadmin_contact_email is defined" fail: msg: Please configure var evoadmin_contact_email - when: evoadmin_contact_email is none or evoadmin_contact_email | length == 0 + when: + - evoadmin_contact_email is none or evoadmin_contact_email | length == 0 + - not ansible_check_mode - include: packages.yml @@ -23,3 +25,4 @@ marker: "" block: |
  • Interface admin web (EvoAdmin-web)
    • + when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml index 6bdf1421..eb7a31cd 100644 --- a/webapps/evoadmin-web/tasks/ssl.yml +++ b/webapps/evoadmin-web/tasks/ssl.yml @@ -17,6 +17,7 @@ owner: root group: ssl-cert mode: "0640" + when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index bbad1b8f..fa61b830 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -54,7 +54,9 @@ dest: "{{ evoadmin_document_root }}" version: jessie update: False - when: ansible_distribution_release == "jessie" + when: + - ansible_distribution_release == "jessie" + - not ansible_check_mode - name: "Clone evoadmin repository (Debian 9 or later)" git: @@ -62,7 +64,9 @@ dest: "{{ evoadmin_document_root }}" version: master update: False - when: ansible_distribution_major_version is version('9', '>=') + when: + - ansible_distribution_major_version is version('9', '>=') + - not ansible_check_mode - name: Change ownership on git repository file: