majic-ansible-roles Files · roles/common/tasks/main.yml

Files @ fe6cdb2443c7

Branch filter:

Location: majic-ansible-roles/roles/common/tasks/main.yml - annotation

fe6cdb2443c7 3.1 KiB text/x-yaml Show Source Show as Raw Download as Raw

branko

MAR-19: Simplified the parameters for common role, making a lot of them optional with some sane defaults. Switched to using an actual list for additional groups.

626eadba53b7
626eadba53b7
babda105c9cf
babda105c9cf
babda105c9cf
babda105c9cf
babda105c9cf
babda105c9cf
babda105c9cf
babda105c9cf
babda105c9cf
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
284ed92d40bb
284ed92d40bb
284ed92d40bb
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
fe6cdb2443c7
626eadba53b7
626eadba53b7
626eadba53b7
fe6cdb2443c7
626eadba53b7
626eadba53b7
626eadba53b7
fe6cdb2443c7
fe6cdb2443c7
fe6cdb2443c7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
fe6cdb2443c7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
626eadba53b7
9eca957bb9db
9eca957bb9db
76ed37089b33
0ad9410c243a
76ed37089b33
76ed37089b33
284ed92d40bb
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
941f4f372672
a6633bcc83d1

---

- name: Enable use of proxy for retrieving system packages via apt
  template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy"
            owner=root group=root mode=644
  when: apt_proxy is defined

- name: Disable use of proxy for retrieving system packages via apt
  file: path="/etc/apt/apt.conf.d/00proxy" state=absent
  when: apt_proxy is undefined

- name: Deploy pam-auth-update configuration file for enabling pam_umask
  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root
  notify: Update PAM configuration

- name: Set login UMASK
  lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'

- name: Set home directory mask
  lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'

- name: Install sudo
  apt: name=sudo state=present

- name: Install ssl-cert package
  apt: name=ssl-cert state=present

- name: Install common packages
  apt: name="{{ item }}" state="present"
  with_items: common_packages

- name: Set-up operating system groups
  group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}" state=present
  with_items: os_groups

- name: Set-up operating system user groups
  group: name="{{ item.name }}" gid="{{ item.uid | default(omit) }}" state=present
  with_items: os_users

- name: Set-up operating system users
  user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"
        groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present
        password="{{ item.password | default('!') }}"
  with_items: os_users

- name: Set-up authorised keys
  authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
  with_subelements:
    - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
    - authorized_keys

- name: Disable remote logins for root
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"
  notify:
    - Restart SSH

- name: Disable remote login authentication via password
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
  notify:
    - Restart SSH

- name: Deploy CA certificates
  copy: src="{{ item }}" dest="/etc/ssl/certs/{{ item | basename }}" mode=644 owner=root group=root
  with_items: ca_certificates
  notify:
    - Update CA certificate cache

- name: Install ferm (for firewall management)
  apt: name=ferm state=installed

- name: Configure ferm init script coniguration file
  copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644
  notify:
    - Restart ferm

- name: Create directory for storing ferm configuration files
  file: dest="/etc/ferm/conf.d/" mode=750 state=directory owner=root group=root

- name: Deploy main ferm configuration file
  copy: src=ferm.conf dest=/etc/ferm/ferm.conf
  notify:
    - Restart ferm

- name: Deploy ferm base rules
  template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf
            owner=root group=root mode=640
  notify:
    - Restart ferm

- name: Enable ferm service
  service: name=ferm enabled=yes state=started