Files
@ 7977a2033d9a
Branch filter:
Location: majic-ansible-roles/roles/common/tasks/main.yml - annotation
7977a2033d9a
5.2 KiB
text/x-yaml
Noticket: Fixed ldap_permissions module - if no olcAccess rules are defined, assume empty list (otherwise we get key lookup exception).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 | 626eadba53b7 626eadba53b7 babda105c9cf babda105c9cf babda105c9cf babda105c9cf babda105c9cf babda105c9cf babda105c9cf babda105c9cf babda105c9cf 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 f4e9cd36dad4 f4e9cd36dad4 f4e9cd36dad4 f4e9cd36dad4 e15b53d59517 e15b53d59517 e15b53d59517 e15b53d59517 f4e9cd36dad4 f4e9cd36dad4 f4e9cd36dad4 f4e9cd36dad4 f4e9cd36dad4 f4e9cd36dad4 f4e9cd36dad4 483065c6c24f 483065c6c24f 483065c6c24f 483065c6c24f 483065c6c24f 483065c6c24f 483065c6c24f 483065c6c24f 483065c6c24f 626eadba53b7 626eadba53b7 626eadba53b7 284ed92d40bb 284ed92d40bb 284ed92d40bb a561d73e3242 a561d73e3242 a561d73e3242 626eadba53b7 626eadba53b7 922cda0a1834 626eadba53b7 db91799cc8fa db91799cc8fa db91799cc8fa db91799cc8fa a717a6ccd782 a717a6ccd782 a717a6ccd782 a717a6ccd782 a717a6ccd782 626eadba53b7 fe6cdb2443c7 922cda0a1834 626eadba53b7 626eadba53b7 fe6cdb2443c7 922cda0a1834 626eadba53b7 626eadba53b7 fe6cdb2443c7 fe6cdb2443c7 1b05bae8e440 922cda0a1834 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 fe6cdb2443c7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 626eadba53b7 9eca957bb9db 9eca957bb9db 76ed37089b33 1b05bae8e440 922cda0a1834 6c256b0514cf 6c256b0514cf 6c256b0514cf 6c256b0514cf 6c256b0514cf 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 941f4f372672 a561d73e3242 a561d73e3242 a561d73e3242 a561d73e3242 a561d73e3242 941f4f372672 a561d73e3242 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 | ---
- name: Enable use of proxy for retrieving system packages via apt
template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy"
owner=root group=root mode=644
when: apt_proxy is defined
- name: Disable use of proxy for retrieving system packages via apt
file: path="/etc/apt/apt.conf.d/00proxy" state=absent
when: apt_proxy is undefined
- name: Deploy pam-auth-update configuration file for enabling pam_umask
copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root
notify: Update PAM configuration
- name: Set login UMASK
lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'
- name: Set home directory mask
lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'
- name: Deploy bash profile configuration for fancier prompts
template: src="bash_prompt.sh.j2" dest="/etc/profile.d/bash_prompt.sh"
owner=root group=root mode=644
- name: Deploy profile configuration that allows for user-specific profile.d files
copy: src="user_profile_d.sh" dest="/etc/profile.d/z99-user_profile_d.sh"
owner=root group=root mode=644
- name: Replace default and skeleton bashrc
copy: src="{{ item.key }}" dest="{{ item.value }}"
owner=root group=root mode=644
with_dict:
skel_bashrc: "/etc/skel/.bashrc"
bashrc: "/etc/bash.bashrc"
- name: Calculate stock checksum for bashrc root account
stat: path="/root/.bashrc"
register: root_bashrc_stat
- name: Replace stock bashrc for root account with skeleton one
copy: src="skel_bashrc" dest="/root/.bashrc"
owner=root group=root mode=640
when: root_bashrc_stat.stat.checksum == "b737c392222ddac2271cc8d0d8cc0308d08cf458"
- name: Install sudo
apt: name=sudo state=present
- name: Install ssl-cert package
apt: name=ssl-cert state=present
- name: Install rcconf (workaround for systemctl broken handling of SysV)
apt: name=rcconf state=present
- name: Install common packages
apt: name="{{ item }}" state="present"
with_items: "{{ common_packages }}"
- name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996)
file: src="/usr/bin/mariadb_config" dest="/usr/bin/mysql_config" state=link
when: "'libmariadb-client-lgpl-dev-compat' in common_packages"
- name: Disable electric-indent-mode for Emacs by default for all users
copy: src="01disable-electric-indent-mode.el" dest="/etc/emacs/site-start.d/01disable-electric-indent-mode.el"
owner=root group=root mode=644
when: "'emacs24' in common_packages or 'emacs24-nox' in common_packages"
- name: Set-up operating system groups
group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}" state=present
with_items: "{{ os_groups }}"
- name: Set-up operating system user groups
group: name="{{ item.name }}" gid="{{ item.uid | default(omit) }}" state=present
with_items: "{{ os_users }}"
- name: Set-up operating system users
user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"
groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present
password="{{ item.password | default('!') }}" update_password=on_create
with_items: "{{ os_users }}"
- name: Set-up authorised keys
authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
with_subelements:
- "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
- authorized_keys
- name: Disable remote logins for root
lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"
notify:
- Restart SSH
- name: Disable remote login authentication via password
lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
notify:
- Restart SSH
- name: Deploy CA certificates
copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=644 owner=root group=root
with_dict: "{{ ca_certificates }}"
register: deploy_ca_certificates_result
- name: Update CA certificate cache
command: /usr/sbin/update-ca-certificates --fresh
when: deploy_ca_certificates_result.changed
- name: Install ferm (for firewall management)
apt: name=ferm state=installed
- name: Configure ferm init script coniguration file
copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644
notify:
- Restart ferm
- name: Create directory for storing ferm configuration files
file: dest="/etc/ferm/conf.d/" mode=750 state=directory owner=root group=root
- name: Deploy main ferm configuration file
copy: src=ferm.conf dest=/etc/ferm/ferm.conf
notify:
- Restart ferm
- name: Deploy ferm base rules
template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf
owner=root group=root mode=640
notify:
- Restart ferm
- name: Enable ferm service on boot (workaround for systemctl broken handling of SysV)
command: rcconf -on ferm
register: result
changed_when: result.stderr == ""
- name: Enable ferm service
service: name=ferm state=started
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "handlers | default(False) | bool() == True"
tags:
- handlers
|