ansible-roles/evolinux-base/tasks/system.yml

206 lines
5.2 KiB
YAML

---
- name: /tmp must be world-writable
file:
path: /tmp
state: directory
mode: "u=rwx,g=rwx,o=rwxt"
when: evolinux_system_chmod_tmp
- name: Setting default locales
lineinfile:
dest: /etc/locale.gen
line: "{{ item }}"
create: yes
state: present
loop:
- "en_US.UTF-8 UTF-8"
- "fr_FR ISO-8859-1"
- "fr_FR.UTF-8 UTF-8"
register: default_locales
when: evolinux_system_locales
- name: Reconfigure locales
command: /usr/sbin/locale-gen
when: evolinux_system_locales and default_locales is changed
- name: Setting default timezone
timezone:
name: "{{ evolinux_system_timezone | mandatory }}"
notify: restart cron
when: evolinux_system_set_timezone
# TODO : find a way to force the console-data configuration
# non-interactively (like tzdata ↑)
- include_role:
name: evolix/remount-usr
- name: Ensure automagic vim conf is disabled
lineinfile:
dest: /etc/vim/vimrc
regexp: 'let g:skip_defaults_vim ='
line: 'let g:skip_defaults_vim = 1'
when: evolinux_system_vim_skip_defaults
- name: Setting vim as default editor
alternatives:
name: editor
path: /usr/bin/vim.basic
when: evolinux_system_vim_default_editor
- name: Add "umask 027" to /etc/profile.d/evolinux.sh
lineinfile:
dest: /etc/profile.d/evolinux.sh
line: "umask 027"
create: yes
state: present
when: evolinux_system_profile
- name: Set /etc/adduser.conf DIR_MODE to 0700
replace:
dest: /etc/adduser.conf
regexp: "^DIR_MODE=0755$"
replace: "DIR_MODE=0700"
when: evolinux_system_dirmode_adduser
# TODO: trouver comment ne pas faire ça sur Xen Dom-U
- name: Deactivating login on all tty except tty2
lineinfile:
dest: /etc/securetty
line: "tty2"
create: yes
state: present
when: evolinux_system_restrict_securetty
- name: Setting TMOUT to disconnect inactive users
lineinfile:
dest: /etc/profile.d/evolinux.sh
line: "export TMOUT=36000"
create: yes
state: present
when: evolinux_system_set_timeout
#- name: Customizing /etc/fstab
- name: Check if cron is installed
shell: "dpkg -l cron 2> /dev/null | grep -q -E '^(i|h)i'"
failed_when: False
changed_when: False
check_mode: no
register: is_cron_installed
- name: Set verbose logging for cron deamon
lineinfile:
dest: /etc/default/cron
line: "EXTRA_OPTS='-L 15'"
create: yes
state: present
when: is_cron_installed.rc == 0 and evolinux_system_cron_verboselog
- name: Modify default umask for cron deamon
lineinfile:
dest: /etc/default/cron
line: "umask 022"
create: yes
state: present
when: is_cron_installed.rc == 0 and evolinux_system_cron_umask
- name: Randomize periodic crontabs
replace:
dest: /etc/crontab
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
loop:
- { regexp: '^17((\s*\*){4})', replace: '{{ 59|random(start=1) }}\1' }
- { regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
- { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
- { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
when: is_cron_installed.rc == 0 and evolinux_system_cron_random
- include_role:
name: evolix/ntpd
## alert5
- name: Install alert5 init script (jessie/stretch)
template:
src: system/alert5.sysvinit.j2
dest: /etc/init.d/alert5
force: no
mode: "0755"
when:
- evolinux_system_alert5_init
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
- name: Enable alert5 init script (jessie/stretch)
service:
name: alert5
enabled: yes
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_enable
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
- name: Install alert5 init script (buster)
template:
src: system/alert5.sh.j2
dest: /usr/share/scripts/alert5.sh
force: no
mode: "0755"
when:
- evolinux_system_alert5_init
- ansible_distribution_major_version is version('10', '>=')
- name: Install alert5 service (buster)
copy:
src: alert5.service
dest: /etc/systemd/system/alert5.service
force: yes
mode: "0644"
when:
- evolinux_system_alert5_init
- ansible_distribution_major_version is version('10', '>=')
- name: Enable alert5 init script (buster)
systemd:
name: alert5
daemon_reload: yes
enabled: yes
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_enable
- ansible_distribution_major_version is version('10', '>=')
## network interfaces
- name: "Is there an \"allow-hotplug\" interface ?"
command: grep allow-hotplug /etc/network/interfaces
failed_when: False
changed_when: False
check_mode: no
register: grep_hotplug_eni
- name: "Network interfaces must be \"auto\" and not \"allow-hotplug\""
replace:
dest: /etc/network/interfaces
regexp: "allow-hotplug"
replace: "auto"
when: evolinux_system_eni_auto and grep_hotplug_eni.rc == 0
## /sbin/deny
- name: "/sbin/deny script is present"
copy:
src: deny.sh
dest: /sbin/deny
mode: "0700"
owner: root
group: root
force: no
- meta: flush_handlers