diff --git a/roles/backup/handlers/main.yml b/roles/backup/handlers/main.yml index e80266417eef64beb96acdb1bfb3e87a05f4053e..17ac19038e5f35451aae918b1279d0b174588963 100644 --- a/roles/backup/handlers/main.yml +++ b/roles/backup/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Assemble Duply include patterns - assemble: + ansible.builtin.assemble: dest: "/etc/duply/main/include" src: "/etc/duply/main/patterns" owner: root diff --git a/roles/backup/molecule/default/prepare.yml b/roles/backup/molecule/default/prepare.yml index eefd77c3d02929d5fe3bed6cc81072fdb26e7060..ad4260a270d56a9bbe635a177383b7e91432684d 100644 --- a/roles/backup/molecule/default/prepare.yml +++ b/roles/backup/molecule/default/prepare.yml @@ -7,10 +7,10 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false diff --git a/roles/backup/tasks/main.yml b/roles/backup/tasks/main.yml index d4f756b5a9b53fee2b25f9d5577311219ff79b82..5812d96fc008b10d4422921a687344a2e1ae7779 100644 --- a/roles/backup/tasks/main.yml +++ b/roles/backup/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Configure backup patterns - template: + ansible.builtin.template: src: "backup_patterns.j2" dest: "/etc/duply/main/patterns/{{ backup_patterns_filename }}" owner: root @@ -11,7 +11,7 @@ - Assemble Duply include patterns - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/backup_client/handlers/main.yml b/roles/backup_client/handlers/main.yml index bb42e51c762fc7dc69777db0c94b94f3e3778fbf..056198233719bea7ff880dd73000d6b1bd4e7c47 100644 --- a/roles/backup_client/handlers/main.yml +++ b/roles/backup_client/handlers/main.yml @@ -7,10 +7,10 @@ # This task is invoked only if user is very specific about requiring to # run the handlers manually as a way to bring the system to consistency # after interrupted runs. - command: "rm -rf /etc/duply/main/gnupg" + ansible.builtin.command: "rm -rf /etc/duply/main/gnupg" - name: Create keyring directory - file: + ansible.builtin.file: path: "/etc/duply/main/gnupg" state: directory owner: root @@ -22,12 +22,12 @@ # This task is invoked only if user is very specific about requiring to # run the handlers manually as a way to bring the system to consistency # after interrupted runs. - command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc" + ansible.builtin.command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc" - name: Import public keys # noqa no-changed-when # [no-changed-when] Commands should not change things if nothing needs doing # This task is invoked only if user is very specific about requiring to # run the handlers manually as a way to bring the system to consistency # after interrupted runs. - command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc" + ansible.builtin.command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc" when: backup_additional_encryption_keys | length > 0 diff --git a/roles/backup_client/molecule/default/converge.yml b/roles/backup_client/molecule/default/converge.yml index 01a6de15bf3f0a336c0f650bfb66c844806f00e9..d79497e4529129377f974bac48c7ed3a0ce2914f 100644 --- a/roles/backup_client/molecule/default/converge.yml +++ b/roles/backup_client/molecule/default/converge.yml @@ -13,7 +13,7 @@ tasks: - name: Deploy pre-backup script - copy: + ansible.builtin.copy: src: tests/data/10-test-pre-backup.sh dest: /etc/duply/main/pre.d/10-test-pre-backup.sh owner: root diff --git a/roles/backup_client/molecule/default/prepare.yml b/roles/backup_client/molecule/default/prepare.yml index 8bd2d5b25faf4c7e24752fd7809ceff043252cb5..2b9e2e137365788216a5abab6af98a98e39bef64 100644 --- a/roles/backup_client/molecule/default/prepare.yml +++ b/roles/backup_client/molecule/default/prepare.yml @@ -7,11 +7,11 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false @@ -21,7 +21,7 @@ tasks: - name: Deploy SSH server keys - copy: + ansible.builtin.copy: content: "{{ lookup('file', item.key) + '\n' }}" dest: "{{ item.value }}" owner: root @@ -35,7 +35,7 @@ - Restart ssh - name: Drop the outdated public keys - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -44,14 +44,14 @@ - /etc/ssh/ssh_host_ecdsa_key.pub - name: Force the use of internal-sftp subsystem for SFTP - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^Subsystem.*sftp" line: "Subsystem sftp internal-sftp" state: present - name: Deploy custom SSH server configuration that chroots users - copy: + ansible.builtin.copy: src: "tests/data/backup_server-sshd-chroot_backup_users.conf" dest: "/etc/ssh/sshd_config.d/chroot_backup_users.conf" owner: root @@ -61,16 +61,16 @@ - Restart ssh - name: Set-up backup group that will contain all backup users - group: + ansible.builtin.group: name: "backup-users" - name: Set-up backup user groups - group: + ansible.builtin.group: name: "{{ item.name }}" with_items: "{{ backup_users }}" - name: Set-up backup users - user: + ansible.builtin.user: name: "{{ item.name }}" group: "{{ item.name }}" groups: @@ -78,20 +78,20 @@ with_items: "{{ backup_users }}" - name: Set-up authorised keys - authorized_key: + ansible.posix.authorized_key: user: "{{ item.name }}" key: "{{ item.key }}" with_items: "{{ backup_users }}" - name: Set-up port forwarding - command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22" + ansible.builtin.command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22" changed_when: false with_items: - 2222 - 3333 - name: Change ownership of home directories for SFTP chroot to work - file: + ansible.builtin.file: path: "/home/{{ item.name }}" state: directory owner: root @@ -100,7 +100,7 @@ with_items: "{{ backup_users }}" - name: Set-up duplicity backup directories - file: + ansible.builtin.file: path: "~{{ item.name }}/duplicity" state: directory owner: root @@ -110,7 +110,7 @@ handlers: - name: Restart ssh - service: + ansible.builtin.service: name: ssh state: restarted diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml index c09f302722240da8b39868b7f2fe68bce8bd935d..dcbcd1d0581ee168fb8a8100d5c47715326d0f23 100644 --- a/roles/backup_client/tasks/main.yml +++ b/roles/backup_client/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: Install backup software - apt: + ansible.builtin.apt: name: - duplicity - duply state: present - name: Set-up Duply directories - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: root @@ -24,7 +24,7 @@ - "/var/cache/duply/main" - name: Deploy GnuPG private keys - copy: + ansible.builtin.copy: content: "{{ backup_encryption_key }}" dest: "/etc/duply/main/private_keys.asc" owner: root @@ -37,7 +37,7 @@ - Import public keys - name: Deploy GnuPG public keys - copy: + ansible.builtin.copy: content: "{{ backup_additional_encryption_keys | join('\n') }}" dest: "/etc/duply/main/public_keys.asc" owner: root @@ -50,7 +50,7 @@ - Import public keys - name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format) - shell: "set -o pipefail && gpg --no-tty --list-packets /etc/duply/main/private_keys.asc | grep keyid: | + ansible.builtin.shell: "set -o pipefail && gpg --no-tty --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //'" args: executable: /bin/bash @@ -59,7 +59,7 @@ failed_when: not backup_encryption_key_id.stdout - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format) - shell: "set -o pipefail && gpg --no-tty --list-packets /etc/duply/main/public_keys.asc | grep keyid: | + ansible.builtin.shell: "set -o pipefail && gpg --no-tty --list-packets /etc/duply/main/public_keys.asc | grep keyid: | sed -e 's/.*: //' | sort -u | tr '\n' ',' | sed -e 's/,$//'" args: executable: /bin/bash @@ -69,7 +69,7 @@ failed_when: not backup_additional_encryption_keys_ids.stdout - name: Deploy private SSH key for logging-in into backup server - copy: + ansible.builtin.copy: content: "{{ backup_ssh_key }}" dest: "/etc/duply/main/ssh/identity" owner: root @@ -78,7 +78,7 @@ no_log: true - name: Deploy custom known_hosts for backup purposes - template: + ansible.builtin.template: src: "known_hosts.j2" dest: "/etc/duply/main/ssh/known_hosts" owner: root @@ -86,7 +86,7 @@ mode: "0600" - name: Deploy Duply configuration file - template: + ansible.builtin.template: src: "duply_main_conf.j2" dest: "/etc/duply/main/conf" owner: root @@ -94,7 +94,7 @@ mode: "0600" - name: Deploy base exclude pattern (exclude all by default) - copy: + ansible.builtin.copy: content: "- **" dest: "/etc/duply/main/exclude" owner: root @@ -102,7 +102,7 @@ mode: "0600" - name: Set-up directory for storing pre-backup scripts - file: + ansible.builtin.file: path: "/etc/duply/main/pre.d/" state: directory owner: root @@ -110,7 +110,7 @@ mode: "0700" - name: Set-up script for running all pre-backup scripts - copy: + ansible.builtin.copy: src: "duply_pre" dest: "/etc/duply/main/pre" owner: root @@ -118,7 +118,7 @@ mode: "0700" - name: Deploy crontab entry for running backups - cron: + ansible.builtin.cron: name: backup cron_file: backup hour: "2" @@ -128,7 +128,7 @@ user: root - name: Ensure the file with include patterns exists (but do not overwrite) - copy: + ansible.builtin.copy: content: "" dest: /etc/duply/main/include force: false @@ -137,7 +137,7 @@ mode: "0600" - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/backup_server/handlers/main.yml b/roles/backup_server/handlers/main.yml index 918490612f90e0d3dc7be27b1d3a87677655c6c2..b963d40b3dbc95764825196b84aa67e9fc734bf3 100644 --- a/roles/backup_server/handlers/main.yml +++ b/roles/backup_server/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Restart backup SSH server - service: + ansible.builtin.service: name: ssh-backup state: restarted diff --git a/roles/backup_server/molecule/default/prepare.yml b/roles/backup_server/molecule/default/prepare.yml index d5df27dc533f1e55e4f81dfdc20b703950416bd9..e65b73ad375ca7229b0190091f897584ffc4756e 100644 --- a/roles/backup_server/molecule/default/prepare.yml +++ b/roles/backup_server/molecule/default/prepare.yml @@ -6,7 +6,7 @@ tasks: - name: Fix SSH client file permissions locally, otherwise we get error from SSH - file: + ansible.builtin.file: path: "{{ item }}" mode: g=,o= with_items: @@ -20,9 +20,9 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml index a77ff31150051e0956d88b102289b85ab4d88c42..1f1f95ee23075309473e2ac450c9811e8cddb2d7 100644 --- a/roles/backup_server/tasks/main.yml +++ b/roles/backup_server/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: Install backup software - apt: + ansible.builtin.apt: name: - duplicity - duply state: present - name: Create directory for storing backups - file: + ansible.builtin.file: path: "/srv/backups" state: directory owner: root @@ -16,14 +16,14 @@ mode: "0751" - name: Create backup client groups - group: + ansible.builtin.group: name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" gid: "{{ item.uid | default(omit) }}" system: true with_items: "{{ backup_clients }}" - name: Create backup client users - user: + ansible.builtin.user: name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" groups: "backup" @@ -35,7 +35,7 @@ with_items: "{{ backup_clients }}" - name: Create home directories for backup client users - file: + ansible.builtin.file: path: "/srv/backups/{{ item.server }}" state: directory owner: root @@ -44,7 +44,7 @@ with_items: "{{ backup_clients }}" - name: Create duplicity directories for backup client users - file: + ansible.builtin.file: path: "/srv/backups/{{ item.server }}/duplicity" state: directory owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" @@ -53,7 +53,7 @@ with_items: "{{ backup_clients }}" - name: Create SSH directory for backup client users - file: + ansible.builtin.file: path: "/srv/backups/{{ item.server }}/.ssh" state: directory owner: root @@ -62,7 +62,7 @@ with_items: "{{ backup_clients }}" - name: Populate authorized keys for backup client users - authorized_key: + ansible.posix.authorized_key: user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" key: "{{ item.public_key }}" manage_dir: false @@ -70,7 +70,7 @@ with_items: "{{ backup_clients }}" - name: Set-up authorized_keys file permissions for backup client users - file: + ansible.builtin.file: path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys" state: file owner: root @@ -79,7 +79,7 @@ with_items: "{{ backup_clients }}" - name: Deny the backup group login via regular SSH - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/ssh/sshd_config" state: present line: "DenyGroups backup" @@ -87,7 +87,7 @@ - Restart SSH - name: Set-up directory for the backup OpenSSH server instance - file: + ansible.builtin.file: path: "/etc/ssh-backup/" state: directory owner: root @@ -95,7 +95,7 @@ mode: "0700" - name: Deploy configuration file for the backup OpenSSH server instance service - copy: + ansible.builtin.copy: src: "ssh-backup.default" dest: "/etc/default/ssh-backup" owner: root @@ -105,7 +105,7 @@ - Restart backup SSH server - name: Deploy configuration file for the backup OpenSSH server instance - copy: + ansible.builtin.copy: src: "backup-sshd_config" dest: "/etc/ssh-backup/sshd_config" owner: root @@ -115,7 +115,7 @@ - Restart backup SSH server - name: Deploy the private keys for backup OpenSSH server instance - template: + ansible.builtin.template: src: "ssh_host_key.j2" dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key" owner: root @@ -127,7 +127,7 @@ no_log: true - name: Deploy backup OpenSSH server systemd service file - copy: + ansible.builtin.copy: src: "ssh-backup.service" dest: "/etc/systemd/system/ssh-backup.service" owner: root @@ -138,13 +138,13 @@ - Restart backup SSH server - name: Start and enable OpenSSH backup service - service: + ansible.builtin.service: name: "ssh-backup" state: started enabled: true - name: Deploy firewall configuration for backup server - template: + ansible.builtin.template: src: "ferm_backup.conf.j2" dest: "/etc/ferm/conf.d/40-backup.conf" owner: root @@ -154,7 +154,7 @@ - Restart ferm - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/bootstrap/handlers/main.yml b/roles/bootstrap/handlers/main.yml index 8dae2fd6fcd7ea5173f2e61f1ea32b955134ba09..64ed8c7d39295a6b5016864971d59d5a1bfc1728 100644 --- a/roles/bootstrap/handlers/main.yml +++ b/roles/bootstrap/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Dummy handler to suppress Ansible warnings - debug: + ansible.builtin.debug: msg: "This is just a dummy task to suppress the Ansible warning about an empty include." diff --git a/roles/bootstrap/molecule/default/prepare.yml b/roles/bootstrap/molecule/default/prepare.yml index 7f1c268a76b571a1cedb0cf1578a7267ac17c11e..834afd2c843bf184ce4c2c515080b15b1ab70f13 100644 --- a/roles/bootstrap/molecule/default/prepare.yml +++ b/roles/bootstrap/molecule/default/prepare.yml @@ -7,11 +7,11 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false @@ -22,7 +22,7 @@ tasks: - name: Deploy authorized_keys to mimic set-up via preseed file - authorized_key: + ansible.posix.authorized_key: user: root key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" @@ -33,6 +33,6 @@ tasks: - name: Deploy authorized_keys to mimic set-up via preseed file - authorized_key: + ansible.posix.authorized_key: user: root key: "{{ lookup('file', 'tests/data/ansible_key.pub') }}" diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml index 1a412c52d1b7a5518767caa846dfbc85a92a68df..b4a99f15f40f1d7545a950d43f1c87a259cd0bc7 100644 --- a/roles/bootstrap/tasks/main.yml +++ b/roles/bootstrap/tasks/main.yml @@ -1,29 +1,29 @@ --- - name: Install sudo - apt: + ansible.builtin.apt: name: sudo state: present - name: Set-up the Ansible group - group: + ansible.builtin.group: name: ansible system: true - name: Set-up the Ansible user - user: + ansible.builtin.user: name: ansible system: true group: ansible shell: /bin/bash - name: Set-up authorized key for the Ansible user - authorized_key: + ansible.posix.authorized_key: user: ansible key: "{{ ansible_key }}" - name: Set-up password-less sudo for the ansible user - copy: + ansible.builtin.copy: src: "ansible_sudo" dest: "/etc/sudoers.d/ansible" mode: "0640" @@ -31,13 +31,13 @@ group: root - name: Revoke rights for Ansible user to log-in as root to server via ssh - authorized_key: + ansible.posix.authorized_key: user: root key: "{{ ansible_key }}" state: absent - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 5bd739c169425f9999d638c49d843bd6d3f6012e..022af6ddfc1b2b20e04ab592c9e04293b0f861da 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -5,10 +5,10 @@ # This task is invoked only if user is very specific about requiring to # run the handlers manually as a way to bring the system to consistency # after interrupted runs. - command: "/usr/sbin/pam-auth-update --package" + ansible.builtin.command: "/usr/sbin/pam-auth-update --package" - name: Restart SSH - service: + ansible.builtin.service: name: ssh state: restarted @@ -17,19 +17,19 @@ # This task is invoked only if user is very specific about requiring to # run the handlers manually as a way to bring the system to consistency # after interrupted runs. - command: "/usr/sbin/update-ca-certificates --fresh" + ansible.builtin.command: "/usr/sbin/update-ca-certificates --fresh" - name: Restart ferm - service: + ansible.builtin.service: name: ferm state: restarted - name: Reload systemd - systemd: + ansible.builtin.systemd: daemon_reload: true - name: Restart NTP server - service: + ansible.builtin.service: name: ntpsec state: restarted when: ntp_pools | length > 0 diff --git a/roles/common/molecule/default/cleanup.yml b/roles/common/molecule/default/cleanup.yml index c99ee79c29bc84b49f955fbcdf8734cda064bc64..32ba90b5c0f67eede47dee009ed76de8acd3ea27 100644 --- a/roles/common/molecule/default/cleanup.yml +++ b/roles/common/molecule/default/cleanup.yml @@ -7,7 +7,7 @@ tasks: - name: Remove X.509 material - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: diff --git a/roles/common/molecule/default/converge.yml b/roles/common/molecule/default/converge.yml index c5feb2ad46188500960bb93dc23157a0502b7d11..5e271d0326dff9ba63772d07bebb039506a33653 100644 --- a/roles/common/molecule/default/converge.yml +++ b/roles/common/molecule/default/converge.yml @@ -12,7 +12,7 @@ tasks: - name: Set-up directories for testing pip requirements upgrade checks script - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: root @@ -24,7 +24,7 @@ - "/tmp/pip_check_requirements_upgrades/without_updates" - name: Deploy files for testing pip requirements upgrade checks script - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "/tmp/{{ item }}" owner: root @@ -38,12 +38,12 @@ - "pip_check_requirements_upgrades/without_updates/requirements.txt" - name: Install web server for testing connectivity - apt: + ansible.builtin.apt: name: nginx state: present - name: Deploy firewall configuration file for the web server - copy: + ansible.builtin.copy: src: ferm_http.conf dest: /etc/ferm/conf.d/99-http.conf owner: root @@ -55,6 +55,6 @@ handlers: - name: Restart ferm - service: + ansible.builtin.service: name: ferm state: restarted diff --git a/roles/common/molecule/default/prepare.yml b/roles/common/molecule/default/prepare.yml index 58d895c7482b2afb250d8b8f398a2e85a4e579a6..266cf5c2e4d66351659808367726a05672cfcac0 100644 --- a/roles/common/molecule/default/prepare.yml +++ b/roles/common/molecule/default/prepare.yml @@ -7,13 +7,13 @@ tasks: - name: Initialise CA hierarchy - command: "gimmecert init --ca-hierarchy-depth 2" + ansible.builtin.command: "gimmecert init --ca-hierarchy-depth 2" args: creates: ".gimmecert/ca/level1.cert.pem" chdir: "tests/data/" - name: Set-up link to generated X.509 material - file: + ansible.builtin.file: src: ".gimmecert" dest: "tests/data/x509" state: link @@ -25,21 +25,21 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false - name: Install net-tools for running Testinfra host.socket tests - apt: + ansible.builtin.apt: name: net-tools state: present - name: Remove the ss utility (see https://github.com/philpep/testinfra/pull/320) - file: + ansible.builtin.file: path: "/bin/ss" state: absent @@ -49,7 +49,7 @@ tasks: - name: Install apt-cacher-ng - apt: + ansible.builtin.apt: name: apt-cacher-ng state: present @@ -59,12 +59,12 @@ tasks: - name: Install tool for testing TCP connectivity - apt: + ansible.builtin.apt: name: nmap state: present - name: Set-up /etc/hosts with entries for all servers - lineinfile: + ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" @@ -84,7 +84,7 @@ tasks: - name: Set-up /etc/hosts with entries for all servers - lineinfile: + ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" @@ -97,7 +97,7 @@ 192.168.56.4: client2 - name: Load legacy iptables to test their removal - modprobe: + community.general.modprobe: name: "{{ item }}" state: present with_items: @@ -115,7 +115,7 @@ - name: Create some custom legacy iptables chains for testing their removal (max chain name length is 29) # noqa no-changed-when # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. - command: "iptables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'" + ansible.builtin.command: "iptables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'" with_items: - filter - nat @@ -126,7 +126,7 @@ - name: Create some custom legacy ip6tables chains for testing their removal (max chain name length is 29) # noqa no-changed-when # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. - command: "ip6tables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'" + ansible.builtin.command: "ip6tables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'" with_items: - filter - nat @@ -135,7 +135,7 @@ - raw - name: Create deprecated directory for storing requirements files created using Python 3 (pip requirements upgrade checks) - file: + ansible.builtin.file: path: "/etc/pip_check_requirements_upgrades-py3" state: directory owner: root @@ -143,7 +143,7 @@ mode: "0750" - name: Create deprecated directory for Python 3 virtual environment (pip requirements upgrade checks) - file: + ansible.builtin.file: path: "/var/lib/pipreqcheck/virtualenv-py3/" state: directory owner: root @@ -151,7 +151,7 @@ mode: "0750" - name: Create deprecated cronjob file for Python 3 (pip requirements upgrade checks) - file: + ansible.builtin.file: path: "/etc/cron.d/check_pip_requirements-py3" state: touch owner: root @@ -159,7 +159,7 @@ mode: "0644" - name: Install the deprecated/obsolete NTP-related packages - apt: + ansible.builtin.apt: name: - ntp - ntpdate diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index a00536bfd5690bab774f1e4e8058e0d18a3a478c..d46c144af2bf070bfba9447ce9f6708863cdc171 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -4,7 +4,7 @@ # =========== - name: Drop deprecated directories and files - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -13,7 +13,7 @@ - "/etc/cron.d/check_pip_requirements-py3" - name: Drop deprecated packages - apt: + ansible.builtin.apt: name: - ntp - ntpdate @@ -24,7 +24,7 @@ # =================== - name: Enable use of proxy for retrieving system packages via apt - template: + ansible.builtin.template: src: "apt_proxy.j2" dest: "/etc/apt/apt.conf.d/00proxy" owner: root @@ -33,13 +33,13 @@ when: apt_proxy is defined - name: Disable use of proxy for retrieving system packages via apt - file: + ansible.builtin.file: path: "/etc/apt/apt.conf.d/00proxy" state: absent when: apt_proxy is undefined - name: Deploy pam-auth-update configuration file for enabling pam_umask - copy: + ansible.builtin.copy: src: "pam_umask" dest: "/usr/share/pam-configs/umask" owner: root @@ -55,12 +55,12 @@ # subsequent playbook runs, make sure the PAM configuration is # updated immediatelly. This way any files created by commands etc # should end-up with correct permissions straight away. - command: "/usr/sbin/pam-auth-update --package" + ansible.builtin.command: "/usr/sbin/pam-auth-update --package" when: pam_umask.changed changed_when: true # Always results in change due to task logic. - name: Set login UMASK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/login.defs" state: present backrefs: true @@ -68,7 +68,7 @@ line: 'UMASK\g<1>027' - name: Set home directory mask - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/adduser.conf" state: present backrefs: true @@ -76,7 +76,7 @@ line: 'DIR_MODE=0750' - name: Deploy bash profile configuration for fancier prompts - template: + ansible.builtin.template: src: "bash_prompt.sh.j2" dest: "/etc/profile.d/bash_prompt.sh" owner: root @@ -84,7 +84,7 @@ mode: "0644" - name: Deploy profile configuration that allows for user-specific profile.d files - copy: + ansible.builtin.copy: src: "user_profile_d.sh" dest: "/etc/profile.d/z99-user_profile_d.sh" owner: root @@ -92,7 +92,7 @@ mode: "0644" - name: Replace default and skeleton bashrc - copy: + ansible.builtin.copy: src: "{{ item.key }}" dest: "{{ item.value }}" owner: root @@ -103,12 +103,12 @@ skel_bashrc: "/etc/skel/.bashrc" - name: Calculate stock checksum for bashrc root account - stat: + ansible.builtin.stat: path: "/root/.bashrc" register: root_bashrc_stat - name: Replace stock bashrc for root account with skeleton one - copy: + ansible.builtin.copy: src: "skel_bashrc" dest: "/root/.bashrc" owner: root @@ -119,22 +119,22 @@ root_bashrc_stat.stat.checksum == "1a422a148ad225aa5ba33f8dafd2b7cfcdbd701f" - name: Install sudo - apt: + ansible.builtin.apt: name: sudo state: present - name: Install ssl-cert package - apt: + ansible.builtin.apt: name: ssl-cert state: present - name: Install common packages - apt: + ansible.builtin.apt: name: "{{ common_packages }}" state: "present" - name: Disable electric-indent-mode for Emacs by default for all users - copy: + ansible.builtin.copy: src: "01disable-electric-indent-mode.el" dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el" owner: root @@ -143,34 +143,34 @@ when: "['emacs24', 'emacs24-nox', 'emacs25', 'emacs25-nox', 'emacs', 'emacs-nox'] | intersect(common_packages) | length > 0" - name: Set-up operating system groups - group: + ansible.builtin.group: name: "{{ item.name }}" gid: "{{ item.gid | default(omit) }}" state: present with_items: "{{ os_groups }}" - name: Set-up operating system user groups - group: + ansible.builtin.group: name: "{{ item.name }}" gid: "{{ item.uid | default(omit) }}" state: present with_items: "{{ os_users }}" - name: Set-up operating system users - user: + ansible.builtin.user: name: "{{ item.name }}" uid: "{{ item.uid | default(omit) }}" group: "{{ item.name }}" groups: "{{ ','.join(item.additional_groups | default([])) }}" append: true - shell: /bin/bash + ansible.builtin.shell: /bin/bash state: present password: "{{ item.password | default('!') }}" update_password: on_create with_items: "{{ os_users }}" - name: Set-up authorised keys - authorized_key: + ansible.posix.authorized_key: user: "{{ item.0.name }}" key: "{{ item.1 }}" with_subelements: @@ -178,7 +178,7 @@ - authorized_keys - name: Disable remote logins for root - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/ssh/sshd_config" state: present regexp: "^PermitRootLogin" @@ -187,7 +187,7 @@ - Restart SSH - name: Disable remote login authentication via password - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/ssh/sshd_config" state: present regexp: "^PasswordAuthentication" @@ -196,7 +196,7 @@ - Restart SSH - name: Deploy CA certificates - copy: + ansible.builtin.copy: content: "{{ item.value }}" dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt" owner: root @@ -210,12 +210,12 @@ # CA certificate cache must be updated immediatelly in order for # applications depending on deployed CA certificates can use them to # validate server/client certificates. - command: "/usr/sbin/update-ca-certificates --fresh" + ansible.builtin.command: "/usr/sbin/update-ca-certificates --fresh" when: deploy_ca_certificates_result.changed changed_when: true # Always results in change due to task logic. - name: Set-up file diversions for custom files that overrride package-provided ones - command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'" + ansible.builtin.command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'" register: "dpkg_divert" changed_when: "'Adding' in dpkg_divert.stdout" with_items: @@ -224,7 +224,7 @@ - Restart ferm - name: Deploy the patched ferm binary that disables use of legacy iptables - copy: + ansible.builtin.copy: src: ferm_binary dest: /usr/sbin/ferm owner: root @@ -234,12 +234,12 @@ - Restart ferm - name: Install ferm (for firewall management) - apt: + ansible.builtin.apt: name: ferm state: present - name: Configure ferm init script coniguration file - copy: + ansible.builtin.copy: src: "ferm_default" dest: "/etc/default/ferm" owner: root @@ -249,7 +249,7 @@ - Restart ferm - name: Create directory for storing ferm configuration files - file: + ansible.builtin.file: dest: "/etc/ferm/conf.d/" state: directory owner: root @@ -257,7 +257,7 @@ mode: "0750" - name: Deploy main ferm configuration file - copy: + ansible.builtin.copy: src: "ferm.conf" dest: "/etc/ferm/ferm.conf" owner: root @@ -267,13 +267,13 @@ - Restart ferm - name: Verify maintenance_allowed_sources parameter - fail: + ansible.builtin.fail: msg: "Items in maintenance_allowed_sources must IPv4/IPv6 addresses or subnets: {{ item }}" when: "not (item is ansible.utils.ipv4_address or item is ansible.utils.ipv6_address)" with_items: "{{ maintenance_allowed_sources }}" - name: Deploy ferm base rules - template: + ansible.builtin.template: src: "00-base.conf.j2" dest: "/etc/ferm/conf.d/00-base.conf" owner: root @@ -283,13 +283,13 @@ - Restart ferm - name: Enable and start ferm - service: + ansible.builtin.service: name: ferm state: started enabled: true - name: Deploy script for flushing legacy iptables rules - copy: + ansible.builtin.copy: src: "legacy_iptables_rules.sh" dest: "/usr/local/sbin/drop_legacy_iptables_rules.sh" owner: root @@ -297,14 +297,14 @@ mode: "0755" - name: Drop legacy iptables rules - command: "/usr/local/sbin/drop_legacy_iptables_rules.sh remove" + ansible.builtin.command: "/usr/local/sbin/drop_legacy_iptables_rules.sh remove" register: legacy_iptables_rules changed_when: "'Removed legacy iptables for families' in legacy_iptables_rules.stdout" notify: - Restart ferm - name: Deploy script for validating server certificates - copy: + ansible.builtin.copy: src: "check_certificate.sh" dest: "/usr/local/bin/check_certificate.sh" owner: root @@ -312,7 +312,7 @@ mode: "0755" - name: Set-up directory for holding configuration for certificate validation script - file: + ansible.builtin.file: path: "/etc/check_certificate" state: "directory" owner: root @@ -320,7 +320,7 @@ mode: "0755" - name: Deploy crontab entry for checking certificates - cron: + ansible.builtin.cron: name: "check_certificate" cron_file: "check_certificate" hour: "0" @@ -330,31 +330,31 @@ user: nobody - name: Install apticron (for checking available upgrades) - apt: + ansible.builtin.apt: name: apticron state: present # It would be too much hassle to detect changed state, so just ignore it. - name: Preventively run apticron to avoid issues with locking - command: /usr/sbin/apticron --cron + ansible.builtin.command: /usr/sbin/apticron --cron changed_when: false # Implementation for checking pip requirements files via via pip-tools. - name: Install packages required for running pip requirements checks - apt: + ansible.builtin.apt: name: - python3-setuptools - virtualenv state: present - name: Create dedicated group for user running pip requirements checks - group: + ansible.builtin.group: name: "pipreqcheck" gid: "{{ pipreqcheck_gid | default(omit) }}" state: present - name: Create user for running pip requirements checks - user: + ansible.builtin.user: name: "pipreqcheck" uid: "{{ pipreqcheck_uid | default(omit) }}" group: "pipreqcheck" @@ -362,7 +362,7 @@ state: present - name: Retrieve system Python interpreter version - command: + ansible.builtin.command: argv: - "/usr/bin/python3" - "-c" @@ -371,7 +371,7 @@ register: python_interpreter_version - name: Retrieve virtual environment Python interpreter version (if initialised) - command: + ansible.builtin.command: argv: - "/var/lib/pipreqcheck/virtualenv/bin/python" - "-c" @@ -384,7 +384,7 @@ register: virtualenv_python_version - name: Retrieve virtual environment prompt - command: + ansible.builtin.command: argv: - "bash" - "-c" @@ -396,7 +396,7 @@ register: current_virtualenv_prompt - name: Remove virtual environment in case of mismatches - file: + ansible.builtin.file: path: "/var/lib/pipreqcheck/virtualenv" state: absent when: | @@ -405,7 +405,7 @@ current_virtualenv_prompt.stdout != "(pipreqcheck) " - name: Create directory for Python virtual environment used for installing/running pip-tools - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: pipreqcheck @@ -416,7 +416,7 @@ - "/var/lib/pipreqcheck/virtualenv" - name: Create Python virtual environment used for installing/running pip-tools - command: "/usr/bin/virtualenv --python '{{ item.python_path }}' --prompt '{{ item.virtualenv_prompt }}' '{{ item.virtualenv_path }}'" + ansible.builtin.command: "/usr/bin/virtualenv --python '{{ item.python_path }}' --prompt '{{ item.virtualenv_prompt }}' '{{ item.virtualenv_path }}'" args: creates: "{{ item.creates }}" become: true @@ -429,7 +429,7 @@ creates: "/var/lib/pipreqcheck/virtualenv/bin/python3" - name: Create directory for storing pip requirements files - file: + ansible.builtin.file: path: "{{ item }}" state: "directory" owner: root @@ -439,7 +439,7 @@ - "/etc/pip_check_requirements_upgrades" - name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself - file: + ansible.builtin.file: path: "{{ item }}" state: "directory" owner: root @@ -449,7 +449,7 @@ - "/etc/pip_check_requirements_upgrades/pipreqcheck" - name: Deploy .in file for pip requirements in pip-tools virtual environment - template: + ansible.builtin.template: src: "pipreqcheck_requirements.in.j2" dest: "{{ item.path }}" owner: root @@ -460,7 +460,7 @@ requirements: "{{ pip_check_requirements_in }}" - name: Deploy requirements file for pipreqcheck virtual environment - template: + ansible.builtin.template: src: "pipreqcheck_requirements.txt.j2" dest: "{{ item.file }}" owner: root @@ -471,7 +471,7 @@ requirements: "{{ pip_check_requirements }}" - name: Install requirements in the pipreqcheck virtual environment - pip: + ansible.builtin.pip: requirements: "{{ item.requirements }}" virtualenv: "{{ item.virtualenv }}" become: true @@ -481,7 +481,7 @@ requirements: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" - name: Synchronise pip-tools virtual environment via deployed requirements file - shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" + ansible.builtin.shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" args: executable: /bin/bash become: true @@ -490,7 +490,7 @@ changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'" - name: Deploy script for checking available upgrades - copy: + ansible.builtin.copy: src: "pip_check_requirements_upgrades.sh" dest: "/usr/local/bin/pip_check_requirements_upgrades.sh" owner: root @@ -498,7 +498,7 @@ mode: "0755" - name: Deploy crontab entry for checking pip requirements - copy: + ansible.builtin.copy: src: "cron_check_pip_requirements" dest: "/etc/cron.d/check_pip_requirements" owner: root @@ -506,7 +506,7 @@ mode: "0644" - name: Install NTP packages - apt: + ansible.builtin.apt: name: - ntpsec - ntpsec-ntpdate @@ -514,7 +514,7 @@ when: ntp_pools | length > 0 - name: Remove NTP packages - apt: + ansible.builtin.apt: name: - ntpsec - ntpsec-ntpdate @@ -523,7 +523,7 @@ when: ntp_pools | length == 0 - name: Deploy NTP configuration - template: + ansible.builtin.template: src: "ntp.conf.j2" dest: "/etc/ntpsec/ntp.conf" owner: root @@ -534,7 +534,7 @@ - Restart NTP server - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/database/handlers/main.yml b/roles/database/handlers/main.yml index 8dae2fd6fcd7ea5173f2e61f1ea32b955134ba09..64ed8c7d39295a6b5016864971d59d5a1bfc1728 100644 --- a/roles/database/handlers/main.yml +++ b/roles/database/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Dummy handler to suppress Ansible warnings - debug: + ansible.builtin.debug: msg: "This is just a dummy task to suppress the Ansible warning about an empty include." diff --git a/roles/database/molecule/default/prepare.yml b/roles/database/molecule/default/prepare.yml index b89a35b8ff052860e49c4e0d1048cdaae3d271bd..3a369193a203c05e6f57462d37f7e1d07254da99 100644 --- a/roles/database/molecule/default/prepare.yml +++ b/roles/database/molecule/default/prepare.yml @@ -7,11 +7,11 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false diff --git a/roles/database/tasks/backup.yml b/roles/database/tasks/backup.yml index 72656fc8481d9f9d0b3a05ca31da4204d094a1ff..0b992ff438cb8c2c6d306a73b3b535adaebc0b3c 100644 --- a/roles/database/tasks/backup.yml +++ b/roles/database/tasks/backup.yml @@ -1,7 +1,7 @@ --- - name: Create directory for storing MariaDB database dumps - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: root @@ -12,7 +12,7 @@ - "/srv/backup/mariadb" - name: Deploy script for creating database backup dumps - template: + ansible.builtin.template: src: "dump_db.sh.j2" dest: "/etc/duply/main/pre.d/dump_{{ db_name }}.sh" owner: root diff --git a/roles/database/tasks/main.yml b/roles/database/tasks/main.yml index 2cb7e24ba94588490e8e740ed2b1fac4aa9df7a4..228bed06ce65ebb30fbb89950a55bffe4973aa76 100644 --- a/roles/database/tasks/main.yml +++ b/roles/database/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: "Create database {{ db_name }}" - mysql_db: + community.mysql.mysql_db: name: "{{ db_name }}" state: present login_unix_socket: "/var/run/mysqld/mysqld.sock" - name: "Create database user {{ db_name }}" - mysql_user: + community.mysql.mysql_user: name: "{{ db_name }}" password: "{{ db_password }}" priv: "{{ db_name }}.*:ALL" @@ -15,11 +15,11 @@ login_unix_socket: "/var/run/mysqld/mysqld.sock" - name: Enable backup - include_tasks: backup.yml + ansible.builtin.include_tasks: backup.yml when: enable_backup - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/database_server/handlers/main.yml b/roles/database_server/handlers/main.yml index 2908002246efdd1f81a2b1d4e54f531918d4bba4..b9de094e6ee889b0bdd825c68a1ceaa9325dde7d 100644 --- a/roles/database_server/handlers/main.yml +++ b/roles/database_server/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Restart MariaDB - service: + ansible.builtin.service: name: mysql state: restarted diff --git a/roles/database_server/molecule/default/prepare.yml b/roles/database_server/molecule/default/prepare.yml index eefd77c3d02929d5fe3bed6cc81072fdb26e7060..ad4260a270d56a9bbe635a177383b7e91432684d 100644 --- a/roles/database_server/molecule/default/prepare.yml +++ b/roles/database_server/molecule/default/prepare.yml @@ -7,10 +7,10 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false diff --git a/roles/database_server/tasks/main.yml b/roles/database_server/tasks/main.yml index d8d2d090760c255608a2012d4d35ec682ce17d98..7ea641346446fe5953ee863e08b7d26fc2a9b0af 100644 --- a/roles/database_server/tasks/main.yml +++ b/roles/database_server/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install MariaDB - apt: + ansible.builtin.apt: name: - mariadb-client - mariadb-server @@ -9,13 +9,13 @@ state: present - name: Enable and start MariaDB - service: + ansible.builtin.service: name: mysql state: started enabled: true - name: Set UTF-8 encoding as default for MariaDB - template: + ansible.builtin.template: src: "utf8.cnf.j2" dest: "/etc/mysql/mariadb.conf.d/90-utf8.cnf" owner: root @@ -28,13 +28,13 @@ # UTF-8 configuration must be applied immediatelly in order to ensure that # subsequent tasks that create databases will end-up with correct (UTF-8) # encoding. Otherwise they will be created using default latin1. - service: + ansible.builtin.service: name: mysql state: restarted when: mariadb_utf8_configuration.changed - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/ldap_client/handlers/main.yml b/roles/ldap_client/handlers/main.yml index 8dae2fd6fcd7ea5173f2e61f1ea32b955134ba09..64ed8c7d39295a6b5016864971d59d5a1bfc1728 100644 --- a/roles/ldap_client/handlers/main.yml +++ b/roles/ldap_client/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Dummy handler to suppress Ansible warnings - debug: + ansible.builtin.debug: msg: "This is just a dummy task to suppress the Ansible warning about an empty include." diff --git a/roles/ldap_client/molecule/default/prepare.yml b/roles/ldap_client/molecule/default/prepare.yml index eefd77c3d02929d5fe3bed6cc81072fdb26e7060..ad4260a270d56a9bbe635a177383b7e91432684d 100644 --- a/roles/ldap_client/molecule/default/prepare.yml +++ b/roles/ldap_client/molecule/default/prepare.yml @@ -7,10 +7,10 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false diff --git a/roles/ldap_client/tasks/main.yml b/roles/ldap_client/tasks/main.yml index c73295d26dc2d36ddaef2e8f0a32a47fce381985..6462a251c1d6fea559a96ed42d2eefef0c1d3eab 100644 --- a/roles/ldap_client/tasks/main.yml +++ b/roles/ldap_client/tasks/main.yml @@ -1,12 +1,12 @@ --- - name: Install OpenLDAP client tools - apt: + ansible.builtin.apt: name: ldap-utils state: present - name: Set-up LDAP client configuration directory - file: + ansible.builtin.file: path: /etc/ldap/ state: directory owner: root @@ -14,7 +14,7 @@ mode: "0755" - name: Deploy LDAP client configuration file - template: + ansible.builtin.template: src: ldap.conf.j2 dest: /etc/ldap/ldap.conf owner: root @@ -22,7 +22,7 @@ mode: "0644" - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/ldap_server/handlers/main.yml b/roles/ldap_server/handlers/main.yml index b7ad66e94652650fec8be772b56b40d1527dd357..1a40a67728a03a8ba631a7b264a7e1990a0432a9 100644 --- a/roles/ldap_server/handlers/main.yml +++ b/roles/ldap_server/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Restart slapd - service: + ansible.builtin.service: name: slapd state: restarted diff --git a/roles/ldap_server/molecule/default/cleanup.yml b/roles/ldap_server/molecule/default/cleanup.yml index c99ee79c29bc84b49f955fbcdf8734cda064bc64..32ba90b5c0f67eede47dee009ed76de8acd3ea27 100644 --- a/roles/ldap_server/molecule/default/cleanup.yml +++ b/roles/ldap_server/molecule/default/cleanup.yml @@ -7,7 +7,7 @@ tasks: - name: Remove X.509 material - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: diff --git a/roles/ldap_server/molecule/default/prepare.yml b/roles/ldap_server/molecule/default/prepare.yml index a55be1d1c533968da81c2bc5f5c2c8460b825d5d..b1642b31658ef77bcd2317a4415ac6aa5429eb43 100644 --- a/roles/ldap_server/molecule/default/prepare.yml +++ b/roles/ldap_server/molecule/default/prepare.yml @@ -7,13 +7,13 @@ tasks: - name: Initialise CA hierarchy - command: "gimmecert init" + ansible.builtin.command: "gimmecert init" args: creates: ".gimmecert/ca/level1.cert.pem" chdir: "tests/data/" - name: Generate server private keys and certificates - command: + ansible.builtin.command: args: chdir: "tests/data/" creates: ".gimmecert/server/{{ item.name }}.cert.pem" @@ -29,7 +29,7 @@ fqdn: parameters-optional - name: Set-up link to generated X.509 material - file: + ansible.builtin.file: src: ".gimmecert" dest: "tests/data/x509" state: link @@ -41,16 +41,16 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false - name: Deploy CA certificate - copy: + ansible.builtin.copy: src: tests/data/x509/ca/level1.cert.pem dest: /etc/ssl/certs/testca.cert.pem owner: root @@ -58,12 +58,12 @@ mode: "0644" - name: Remove the ss utility (see https://github.com/philpep/testinfra/pull/320) - file: + ansible.builtin.file: path: "/bin/ss" state: absent - name: Install tools for testing - apt: + ansible.builtin.apt: name: - net-tools - nmap @@ -76,12 +76,12 @@ tasks: - name: Install tool for teting TCP connectivity - apt: + ansible.builtin.apt: name: hping3 state: present - name: Set-up /etc/hosts with entries for all servers - lineinfile: + ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" @@ -99,7 +99,7 @@ tasks: - name: Set-up the hosts file - lineinfile: + ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" @@ -116,7 +116,7 @@ tasks: - name: Set-up the hosts file - lineinfile: + ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" diff --git a/roles/ldap_server/tasks/backup.yml b/roles/ldap_server/tasks/backup.yml index 14aff20fee7c1baada76ab88b316ff630aa114c3..6ffbaab230bd545f80e21711ee0ec981439e2584 100644 --- a/roles/ldap_server/tasks/backup.yml +++ b/roles/ldap_server/tasks/backup.yml @@ -1,7 +1,7 @@ --- - name: Create directory for storing LDAP database dumps - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: root @@ -11,7 +11,7 @@ - "/srv/backup" - name: Deploy script for creating LDAP database backup dumps - copy: + ansible.builtin.copy: src: "ldapdump.sh" dest: "/etc/duply/main/pre.d/ldapdump.sh" owner: root diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 37d4d516a65970125bcfdd0f569b20a122754e03..e3d64f87b2974cdf6afaf1dd2cc629537f740945 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -1,26 +1,26 @@ --- - name: Set domain for slapd - debconf: + ansible.builtin.debconf: name: slapd question: slapd/domain vtype: string value: "{{ ldap_server_domain }}" - name: Set organisation for slapd - debconf: + ansible.builtin.debconf: name: slapd question: shared/organization vtype: string value: "{{ ldap_server_organization }}" - name: Install slapd - apt: + ansible.builtin.apt: name: slapd state: present - name: Allow OpenLDAP user to traverse the directory with TLS private keys - user: + ansible.builtin.user: name: openldap append: true groups: ssl-cert @@ -31,18 +31,18 @@ # In order to be able to change LDAP server TLS configuration, it must be # able to read both the private key and certificate. Therefore we need to # immediatelly restart (since configuration is done live on the server. - service: + ansible.builtin.service: name: slapd state: restarted when: openldap_in_ssl_cert.changed - name: Install Python LDAP bindings - apt: + ansible.builtin.apt: name: python3-pyldap state: present - name: Set-up LDAP server to listen on legacy SSL port - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/slapd state: present backrefs: true @@ -52,7 +52,7 @@ - Restart slapd - name: Enable and start slapd service - service: + ansible.builtin.service: name: slapd state: started enabled: true @@ -65,12 +65,12 @@ values: "{{ ldap_server_log_level }}" - name: Test if LDAP misc schema has been applied - command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn" + ansible.builtin.command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn" register: ldap_misc_schema_present changed_when: false - name: Deploy LDAP misc schema - command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif" + ansible.builtin.command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif" when: not ldap_misc_schema_present.stdout changed_when: true # Always results in change due to task logic. @@ -79,7 +79,7 @@ # against under Debian) picking a matching DH parameter from RFC-7919 # (https://www.ietf.org/rfc/rfc7919.txt). - name: Generate the LDAP server Diffie-Hellman parameter - openssl_dhparam: + community.crypto.openssl_dhparam: owner: root group: openldap mode: "0640" @@ -89,7 +89,7 @@ - Restart slapd - name: Deploy LDAP TLS private key - template: + ansible.builtin.template: src: "ldap_tls_key.j2" dest: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" mode: "0640" @@ -99,7 +99,7 @@ - Restart slapd - name: Deploy LDAP TLS certificate - template: + ansible.builtin.template: src: "ldap_tls_cert.j2" dest: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" mode: "0644" @@ -109,7 +109,7 @@ - Restart slapd - name: Deploy configuration file for checking certificate validity via cron - copy: + ansible.builtin.copy: content: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" dest: "/etc/check_certificate/{{ ansible_fqdn }}_ldap.conf" owner: root @@ -193,7 +193,7 @@ values: "{1}memberof" - name: Enable the memberof overlay for database - ldap_entry: + community.general.ldap_entry: dn: "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config" objectClass: - olcConfig @@ -211,12 +211,12 @@ rules: "{{ ldap_permissions }}" - name: Drop the admin entry corresponding to olcRootDN for database from directory - ldap_entry: + community.general.ldap_entry: dn: "cn=admin,{{ ldap_server_int_basedn }}" state: absent - name: Create basic LDAP directory structure - ldap_entry: + community.general.ldap_entry: dn: "ou={{ item }},{{ ldap_server_int_basedn }}" objectClass: - organizationalUnit @@ -228,7 +228,7 @@ - services - name: Create the entry that will contain mail service information - ldap_entry: + community.general.ldap_entry: dn: "ou=mail,ou=services,{{ ldap_server_int_basedn }}" objectClass: - organizationalUnit @@ -236,7 +236,7 @@ ou: mail - name: Create LDAP directory structure for mail service - ldap_entry: + community.general.ldap_entry: dn: "ou={{ item }},ou=mail,ou=services,{{ ldap_server_int_basedn }}" objectClass: - organizationalUnit @@ -247,7 +247,7 @@ - aliases - name: Create or remove login entries for services - ldap_entry: + community.general.ldap_entry: dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}" objectClass: - applicationProcess @@ -268,7 +268,7 @@ when: "item.state | default('present') == 'present'" - name: Create or remove user-supplied groups - ldap_entry: + community.general.ldap_entry: dn: "cn={{ item.name }},ou=groups,{{ ldap_server_int_basedn }}" objectClass: - groupOfUniqueNames @@ -279,7 +279,7 @@ with_items: "{{ ldap_server_groups }}" - name: Create user-supplied LDAP entries - ldap_entry: + community.general.ldap_entry: dn: "{{ item.dn }}" objectClass: "{{ item.attributes.objectClass }}" attributes: "{{ item.attributes }}" @@ -287,7 +287,7 @@ with_items: "{{ ldap_entries }}" - name: Deploy firewall configuration for LDAP - copy: + ansible.builtin.copy: src: "ferm_ldap.conf" dest: "/etc/ferm/conf.d/10-ldap.conf" owner: root @@ -300,7 +300,7 @@ # was in use (where community collection has the ldap_search # module. - name: Deploy temporary file with LDAP admin password - template: + ansible.builtin.template: src: "ldap_admin_password.j2" dest: "/root/.ldap_admin_password" owner: root @@ -309,7 +309,7 @@ changed_when: false - name: Test if LDAP admin password needs to be changed - command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password" + ansible.builtin.command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password" register: ldap_admin_password_check changed_when: ldap_admin_password_check.rc != 0 failed_when: false @@ -323,17 +323,17 @@ when: ldap_admin_password_check.rc != 0 - name: Remove temporary file with LDAP admin password - file: + ansible.builtin.file: path: "/root/.ldap_admin_password" state: absent changed_when: false - name: Enable backup - include_tasks: backup.yml + ansible.builtin.include_tasks: backup.yml when: enable_backup - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/mail_forwarder/handlers/main.yml b/roles/mail_forwarder/handlers/main.yml index 51e8cb8d2e30a7bde7d909f0671c6b0da741a342..50816fae35c6052a4fb379f7c7e9c49b79b990f1 100644 --- a/roles/mail_forwarder/handlers/main.yml +++ b/roles/mail_forwarder/handlers/main.yml @@ -5,9 +5,9 @@ # This task is invoked only if user is very specific about requiring to # run the handlers manually as a way to bring the system to consistency # after interrupted runs. - command: "/usr/bin/newaliases" + ansible.builtin.command: "/usr/bin/newaliases" - name: Restart Postfix - service: + ansible.builtin.service: name: postfix state: restarted diff --git a/roles/mail_forwarder/molecule/default/cleanup.yml b/roles/mail_forwarder/molecule/default/cleanup.yml index c99ee79c29bc84b49f955fbcdf8734cda064bc64..32ba90b5c0f67eede47dee009ed76de8acd3ea27 100644 --- a/roles/mail_forwarder/molecule/default/cleanup.yml +++ b/roles/mail_forwarder/molecule/default/cleanup.yml @@ -7,7 +7,7 @@ tasks: - name: Remove X.509 material - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: diff --git a/roles/mail_forwarder/molecule/default/prepare.yml b/roles/mail_forwarder/molecule/default/prepare.yml index 2e7623a9266bc0949b623eef17fb2d2b02e7f879..35ebdd99197ee391d5c280ab2a514fe80284301e 100644 --- a/roles/mail_forwarder/molecule/default/prepare.yml +++ b/roles/mail_forwarder/molecule/default/prepare.yml @@ -7,13 +7,13 @@ tasks: - name: Initialise CA hierarchy - command: "gimmecert init" + ansible.builtin.command: "gimmecert init" args: creates: ".gimmecert/ca/level1.cert.pem" chdir: "tests/data/" - name: Generate server private keys and certificates - command: + ansible.builtin.command: args: chdir: "tests/data/" creates: ".gimmecert/server/{{ item.name }}.cert.pem" @@ -27,7 +27,7 @@ fqdn: mail-server - name: Set-up link to generated X.509 material - file: + ansible.builtin.file: src: ".gimmecert" dest: "tests/data/x509" state: link @@ -39,16 +39,16 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false - name: Set-up the hosts file - lineinfile: + ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" @@ -64,7 +64,7 @@ 192.168.56.23: "parameters-no-incoming-bookworm" - name: Install tools for testing - apt: + ansible.builtin.apt: name: gnutls-bin state: present @@ -74,17 +74,17 @@ tasks: - name: Install SWAKS for testing SMTP capability - apt: + ansible.builtin.apt: name: swaks state: present - name: Install tool for testing TCP connectivity - apt: + ansible.builtin.apt: name: hping3 state: present - name: Deploy CA certificate - copy: + ansible.builtin.copy: src: tests/data/x509/ca/level1.cert.pem dest: /usr/local/share/ca-certificates/testca.crt owner: root @@ -98,7 +98,7 @@ - name: Update CA certificate cache # noqa no-changed-when # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. - command: /usr/sbin/update-ca-certificates --fresh + ansible.builtin.command: /usr/sbin/update-ca-certificates --fresh - name: Prepare, helpers hosts: mail-servers @@ -106,7 +106,7 @@ tasks: - name: Deploy CA certificate - copy: + ansible.builtin.copy: src: tests/data/x509/ca/level1.cert.pem dest: /usr/local/share/ca-certificates/testca.crt owner: root @@ -116,7 +116,7 @@ - Update CA certificate cache - name: Deploy SMTP private key and certificate - copy: + ansible.builtin.copy: src: "tests/data/x509/server/{{ item }}" dest: "/etc/ssl/{{ item }}" owner: root @@ -127,18 +127,18 @@ - mail-server_smtp.key.pem - name: Install Postfix - apt: + ansible.builtin.apt: name: "postfix" state: present - name: Purge Exim configuration - apt: + ansible.builtin.apt: name: "exim4*" state: absent purge: true - name: Deploy Postfix configuration - copy: + ansible.builtin.copy: src: tests/data/main.cf dest: /etc/postfix/main.cf owner: root @@ -148,17 +148,17 @@ - Restart Postfix - name: Install tool for testing TCP connectivity - apt: + ansible.builtin.apt: name: hping3 state: present - name: Install SWAKS for testing SMTP capability - apt: + ansible.builtin.apt: name: swaks state: present - name: Set-up port forwarding - command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport 27 -j REDIRECT --to-ports 25" + ansible.builtin.command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport 27 -j REDIRECT --to-ports 25" changed_when: false handlers: @@ -166,10 +166,10 @@ - name: Update CA certificate cache # noqa no-changed-when # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. - command: /usr/sbin/update-ca-certificates --fresh + ansible.builtin.command: /usr/sbin/update-ca-certificates --fresh - name: Restart Postfix - service: + ansible.builtin.service: name: postfix state: restarted @@ -179,10 +179,10 @@ tasks: - name: Create additional group for testing local aliases - group: + ansible.builtin.group: name: testuser - name: Create additional user for testing local aliases - user: + ansible.builtin.user: name: testuser group: testuser diff --git a/roles/mail_forwarder/tasks/main.yml b/roles/mail_forwarder/tasks/main.yml index 247d66de50f442c34cb50c018feeeb7aa0c0569e..a58530e2e04815b1969d5c5b0190ef55602b1b37 100644 --- a/roles/mail_forwarder/tasks/main.yml +++ b/roles/mail_forwarder/tasks/main.yml @@ -1,23 +1,23 @@ --- - name: Install Postfix - apt: + ansible.builtin.apt: name: postfix state: present - name: Install procmail - apt: + ansible.builtin.apt: name: procmail state: present - name: Purge Exim configuration - apt: + ansible.builtin.apt: name: "exim4*" state: absent purge: true - name: Deploy the SMTP relay TLS truststore - copy: + ansible.builtin.copy: content: "{{ smtp_relay_truststore }}" dest: "/etc/ssl/certs/smtp_relay_truststore.pem" owner: root @@ -25,7 +25,7 @@ mode: "0644" - name: Generate the SMTP server Diffie-Hellman parameter - openssl_dhparam: + community.crypto.openssl_dhparam: owner: root group: root mode: "0640" @@ -35,7 +35,7 @@ - Restart Postfix - name: Configure visible mail name of the system - copy: + ansible.builtin.copy: content: "{{ inventory_hostname }}" dest: "/etc/mailname" owner: root @@ -45,7 +45,7 @@ - Restart Postfix - name: Deploy Postfix main configuration - template: + ansible.builtin.template: src: "main.cf.j2" dest: "/etc/postfix/main.cf" owner: root @@ -55,7 +55,7 @@ - Restart Postfix - name: Set-up local mail aliases - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/aliases" line: "{{ item.key }}: {{ item.value }}" regexp: "^{{ item.key }}" @@ -65,13 +65,13 @@ - Rebuild mail aliases - name: Enable and start postfix service - service: + ansible.builtin.service: name: postfix state: started enabled: true - name: Retrieve IPv4 addresses of SMTP relay host - shell: "getent ahostsv4 '{{ smtp_relay_host }}' | awk '{ print $1 }' | sort -u" # noqa risky-shell-pipe + ansible.builtin.shell: "getent ahostsv4 '{{ smtp_relay_host }}' | awk '{ print $1 }' | sort -u" # noqa risky-shell-pipe # [risky-shell-pipe] Shells that use pipes should set the pipefail option # The getent ahostsv4 command has non-zero exit code if the # supplies name cannot be resolved. However, that is a valid @@ -82,7 +82,7 @@ register: smtp_relay_host_ipv4 - name: Retrieve IPv6 addresses of SMTP relay host - shell: "getent ahostsv6 '{{ smtp_relay_host }}' | awk '{ print $1 }' | grep -v '^::ffff:' | sort -u" # noqa risky-shell-pipe + ansible.builtin.shell: "getent ahostsv6 '{{ smtp_relay_host }}' | awk '{ print $1 }' | grep -v '^::ffff:' | sort -u" # noqa risky-shell-pipe # [risky-shell-pipe] Shells that use pipes should set the pipefail option # The getent ahostsv6 command has non-zero exit code if the # supplies name cannot be resolved. However, that is a valid @@ -93,17 +93,17 @@ register: smtp_relay_host_ipv6 - name: Normalise the SMTP relay host IPv4 addresses variable - set_fact: + ansible.builtin.set_fact: smtp_relay_host_ipv4: "{{ smtp_relay_host_ipv4.stdout_lines | reject('equalto', '') | list }}" when: "smtp_relay_host | length != 0" - name: Normalise the SMTP relay host IPv6 addresses variable - set_fact: + ansible.builtin.set_fact: smtp_relay_host_ipv6: "{{ smtp_relay_host_ipv6.stdout_lines | reject('equalto', '') | list }}" when: "smtp_relay_host | length != 0" - name: Deploy firewall configuration for mail forwader - template: + ansible.builtin.template: src: "ferm_mail.conf.j2" dest: "/etc/ferm/conf.d/20-mail.conf" owner: root @@ -113,12 +113,12 @@ - Restart ferm - name: Install SWAKS - apt: + ansible.builtin.apt: name: swaks state: present - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/mail_server/handlers/main.yml b/roles/mail_server/handlers/main.yml index 3a8553c1819916d9531bdd83a580bf79b2f7ce16..6bb6f5bd1903583433ed1c06320992f9f7253242 100644 --- a/roles/mail_server/handlers/main.yml +++ b/roles/mail_server/handlers/main.yml @@ -1,17 +1,17 @@ --- - name: Restart Postfix - service: + ansible.builtin.service: name: postfix state: restarted - name: Restart Dovecot - service: + ansible.builtin.service: name: dovecot state: restarted - name: Restart ClamAV Milter - service: + ansible.builtin.service: name: clamav-milter state: restarted @@ -20,4 +20,4 @@ # This task is invoked only if user is very specific about requiring to # run the handlers manually as a way to bring the system to consistency # after interrupted runs. - command: /usr/bin/newaliases + ansible.builtin.command: /usr/bin/newaliases diff --git a/roles/mail_server/molecule/default/cleanup.yml b/roles/mail_server/molecule/default/cleanup.yml index c99ee79c29bc84b49f955fbcdf8734cda064bc64..32ba90b5c0f67eede47dee009ed76de8acd3ea27 100644 --- a/roles/mail_server/molecule/default/cleanup.yml +++ b/roles/mail_server/molecule/default/cleanup.yml @@ -7,7 +7,7 @@ tasks: - name: Remove X.509 material - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: diff --git a/roles/mail_server/molecule/default/prepare.yml b/roles/mail_server/molecule/default/prepare.yml index d17af227f5c44ae7dd3c4e8d6f5d6b45b0191156..c9823d72283b1eb0647fb900d13625b121cbabae 100644 --- a/roles/mail_server/molecule/default/prepare.yml +++ b/roles/mail_server/molecule/default/prepare.yml @@ -7,13 +7,13 @@ tasks: - name: Initialise CA hierarchy - command: "gimmecert init" + ansible.builtin.command: "gimmecert init" args: creates: ".gimmecert/ca/level1.cert.pem" chdir: "tests/data/" - name: Generate server private keys and certificates - command: + ansible.builtin.command: args: chdir: "tests/data/" creates: ".gimmecert/server/{{ item.name }}.cert.pem" @@ -39,7 +39,7 @@ fqdn: parameters-optional-bookworm - name: Set-up link to generated X.509 material - file: + ansible.builtin.file: src: ".gimmecert" dest: "tests/data/x509" state: link @@ -50,16 +50,16 @@ gather_facts: false tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false - name: Install tools for testing - apt: + ansible.builtin.apt: name: - gnutls-bin - nmap @@ -71,14 +71,14 @@ tasks: - name: Install system packages for hosting the ClamAV database - apt: + ansible.builtin.apt: name: - nginx - virtualenv state: present - name: Set-up directory for ClamAV database sync tool virtual environment - file: + ansible.builtin.file: path: /var/lib/cvdupdate state: directory owner: vagrant @@ -88,12 +88,12 @@ - name: Create virtual environment for running ClamAV database sync tool become: true become_user: vagrant - command: + ansible.builtin.command: cmd: "/usr/bin/virtualenv --python /usr/bin/python3 --prompt '(cvdupdate) ' /var/lib/cvdupdate" creates: "/var/lib/cvdupdate" - name: Deploy pip requirements file for running the ClamAV database sync tool - copy: + ansible.builtin.copy: src: cvdupdate-requirements.txt dest: /var/lib/cvdupdate/requirements.txt owner: vagrant @@ -103,17 +103,17 @@ - name: Install requirements in the pipreqcheck virtual environment become: true become_user: vagrant - pip: + ansible.builtin.pip: requirements: /var/lib/cvdupdate/requirements.txt virtualenv: /var/lib/cvdupdate - name: Allow traversal of Vagrant directory by the http server user - file: + ansible.builtin.file: path: /vagrant/ mode: "0711" - name: Create directory for storing ClamAV database files - file: + ansible.builtin.file: path: /vagrant/clamav-database state: directory owner: vagrant @@ -125,23 +125,23 @@ # Does not matter in test prepare step. become: true become_user: vagrant - command: "/var/lib/cvdupdate/bin/cvd config set --dbdir /vagrant/clamav-database/" + ansible.builtin.command: "/var/lib/cvdupdate/bin/cvd config set --dbdir /vagrant/clamav-database/" - name: Download/update the ClamAV database files # noqa no-changed-when # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. become: true become_user: vagrant - command: "/var/lib/cvdupdate/bin/cvd update" + ansible.builtin.command: "/var/lib/cvdupdate/bin/cvd update" - name: Allow all users to read ClamAV database files - file: + ansible.builtin.file: path: "/vagrant/clamav-database/" mode: "g=u-w,o=u-w" recurse: true - name: Deploy nginx TLS private key - copy: + ansible.builtin.copy: dest: "/etc/ssl/private/nginx_https.key" content: "{{ clamav_database_http_server_tls_key }}" mode: "0640" @@ -151,7 +151,7 @@ - Restart nginx - name: Deploy nginx TLS certificate - copy: + ansible.builtin.copy: dest: "/etc/ssl/certs/nginx_https.pem" content: "{{ clamav_database_http_server_tls_certificate }}" mode: "0644" @@ -161,7 +161,7 @@ - Restart nginx - name: Deploy nginx configuration for serving the ClamAV database files - copy: + ansible.builtin.copy: src: clamav-database-nginx.conf dest: /etc/nginx/sites-available/default owner: root @@ -173,7 +173,7 @@ handlers: - name: Restart nginx - service: + ansible.builtin.service: name: nginx state: restarted @@ -183,7 +183,7 @@ tasks: - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter - blockinfile: + ansible.builtin.blockinfile: path: "/etc/ssl/openssl.cnf" block: | [openssl_init] @@ -201,7 +201,7 @@ state: present - name: Set-up the hosts file - lineinfile: + ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" @@ -224,7 +224,7 @@ tasks: - name: Install tool for testing SMTP capability - apt: + ansible.builtin.apt: name: swaks state: present @@ -232,17 +232,17 @@ block: - name: Install required system packages - apt: + ansible.builtin.apt: name: python3-venv state: present - name: Set-up dedicated Python virtual environment for running the tool - command: "python3 -m venv /opt/imap-cli" + ansible.builtin.command: "python3 -m venv /opt/imap-cli" args: creates: /opt/imap-cli/bin/python - name: Install IMAP CLI - pip: + ansible.builtin.pip: name: - Imap-CLI==0.7 - six @@ -250,7 +250,7 @@ virtualenv: /opt/imap-cli - name: Set-up symlinks for running the tool - file: + ansible.builtin.file: src: "/opt/imap-cli/bin/{{ item }}" dest: "/usr/local/bin/{{ item }}" owner: root @@ -270,17 +270,17 @@ - imap-cli-list - name: Install tool for testing SIEVE - apt: + ansible.builtin.apt: name: sieve-connect state: present - name: Install tool for testing TCP connectivity - apt: + ansible.builtin.apt: name: hping3 state: present - name: Deploy IMAP CLI configuration - copy: + ansible.builtin.copy: src: "tests/data/{{ item }}" dest: "/home/vagrant/{{ item }}" owner: vagrant @@ -293,7 +293,7 @@ - imapcli-parameters-optional-jane_doe.conf - name: Deploy CA certificate - copy: + ansible.builtin.copy: src: tests/data/x509/ca/level1.cert.pem dest: /usr/local/share/ca-certificates/testca.crt owner: root @@ -306,18 +306,18 @@ block: - name: Install Postfix - apt: + ansible.builtin.apt: name: postfix state: present - name: Purge Exim - apt: + ansible.builtin.apt: name: "exim4*" state: absent purge: true - name: Configure Postfix - template: + ansible.builtin.template: src: "helper_smtp_main.cf.j2" dest: "/etc/postfix/main.cf" owner: root @@ -327,7 +327,7 @@ - Restart Postfix - name: Enable Postfix service - service: + ansible.builtin.service: name: postfix state: started enabled: true @@ -335,12 +335,12 @@ handlers: - name: Update CA certificate cache # noqa no-changed-when - command: /usr/sbin/update-ca-certificates --fresh + ansible.builtin.command: /usr/sbin/update-ca-certificates --fresh # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. - name: Restart Postfix - service: + ansible.builtin.service: name: postfix state: restarted @@ -357,7 +357,7 @@ tasks: - name: Create LDAP accounts for testing - ldap_entry: + community.general.ldap_entry: dn: "{{ item.dn }}" objectClass: "{{ item.objectClass }}" attributes: "{{ item.attributes }}" @@ -436,10 +436,10 @@ tasks: - name: Create group for user used for local mail delivery testing - group: + ansible.builtin.group: name: localuser - name: Create user for local mail delivery testing - user: + ansible.builtin.user: name: localuser group: localuser diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml index 4024e27bc0efe4ff088893d6b5731906293ddc28..486ff223d636232437b3d613253bf0ffd679ca87 100644 --- a/roles/mail_server/tasks/main.yml +++ b/roles/mail_server/tasks/main.yml @@ -1,12 +1,12 @@ --- - name: Install rsync - apt: + ansible.builtin.apt: name: rsync state: present - name: Install Dovecot packages - apt: + ansible.builtin.apt: name: - dovecot-imapd - dovecot-ldap @@ -15,32 +15,32 @@ state: present - name: Install Postfix packages - apt: + ansible.builtin.apt: name: - postfix - postfix-ldap state: present - name: Purge Exim configuration - apt: + ansible.builtin.apt: name: "exim4*" state: absent purge: true - name: Allow Postfix user to traverse the directory with TLS private keys - user: + ansible.builtin.user: name: postfix append: true groups: ssl-cert - name: Allow Dovecot user to traverse the directory with TLS private keys - user: + ansible.builtin.user: name: dovecot append: true groups: ssl-cert - name: Deploy SMTP TLS private key - copy: + ansible.builtin.copy: dest: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.key" content: "{{ smtp_tls_key }}" mode: "0640" @@ -50,7 +50,7 @@ - Restart Postfix - name: Deploy SMTP TLS certificate - copy: + ansible.builtin.copy: dest: "/etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem" content: "{{ smtp_tls_certificate }}" mode: "0644" @@ -60,7 +60,7 @@ - Restart Postfix - name: Generate the SMTP server Diffie-Hellman parameter - openssl_dhparam: + community.crypto.openssl_dhparam: owner: root group: root mode: "0640" @@ -70,7 +70,7 @@ - Restart Postfix - name: Deploy IMAP TLS private key - copy: + ansible.builtin.copy: dest: "/etc/ssl/private/{{ ansible_fqdn }}_imap.key" content: "{{ imap_tls_key }}" mode: "0640" @@ -80,7 +80,7 @@ - Restart Dovecot - name: Deploy IMAP TLS certificate - copy: + ansible.builtin.copy: dest: "/etc/ssl/certs/{{ ansible_fqdn }}_imap.pem" content: "{{ imap_tls_certificate }}" mode: "0644" @@ -90,7 +90,7 @@ - Restart Dovecot - name: Generate the IMAP server Diffie-Hellman parameter - openssl_dhparam: + community.crypto.openssl_dhparam: owner: root group: root mode: "0640" @@ -100,7 +100,7 @@ - Restart Dovecot - name: Deploy configuration files for checking certificate validity via cron - copy: + ansible.builtin.copy: content: "/etc/ssl/certs/{{ ansible_fqdn }}_{{ item }}.pem" dest: "/etc/check_certificate/{{ ansible_fqdn }}_{{ item }}.conf" owner: root @@ -111,17 +111,17 @@ - imap - name: Install SWAKS - apt: + ansible.builtin.apt: name: swaks state: present - name: Install milter packages - apt: + ansible.builtin.apt: name: clamav-milter state: present - name: Configure ClamAV Milter - copy: + ansible.builtin.copy: dest: "/etc/clamav/clamav-milter.conf" src: "clamav-milter.conf" mode: "0644" @@ -131,7 +131,7 @@ - Restart ClamAV Milter - name: Set-up privileges for directories within Postfix chroot - file: + ansible.builtin.file: dest: "{{ item }}" mode: "0755" state: directory @@ -142,7 +142,7 @@ - /var/spool/postfix/var/run - name: Set-up privileges for directories within Postfix chroot - file: + ansible.builtin.file: dest: "{{ item }}" state: directory owner: clamav @@ -152,7 +152,7 @@ - /var/spool/postfix/var/run/clamav - name: Deploy the LDAP TLS truststore in default location - copy: + ansible.builtin.copy: content: "{{ mail_ldap_tls_truststore }}" dest: "/etc/ssl/certs/mail_ldap_tls_truststore.pem" owner: root @@ -160,7 +160,7 @@ mode: "0644" - name: Deploy the LDAP TLS truststore in Postfix chroot - copy: + ansible.builtin.copy: content: "{{ mail_ldap_tls_truststore }}" dest: "/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem" owner: root @@ -170,7 +170,7 @@ - Restart Postfix - name: Configure visible mail name of the system - copy: + ansible.builtin.copy: content: "{{ inventory_hostname }}" dest: "/etc/mailname" owner: root @@ -180,7 +180,7 @@ - Restart Postfix - name: Deploy Postfix configurations files for LDAP look-ups - template: + ansible.builtin.template: src: "{{ item }}.cf.j2" dest: "/etc/postfix/{{ item }}.cf" owner: root @@ -194,7 +194,7 @@ - Restart Postfix - name: Deploy Postfix main configuration - template: + ansible.builtin.template: src: "main.cf.j2" dest: "/etc/postfix/main.cf" owner: root @@ -204,7 +204,7 @@ - Restart Postfix - name: Set-up local mail aliases - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/aliases" line: "{{ item.key }}: {{ item.value }}" regexp: "^{{ item.key }}" @@ -214,13 +214,13 @@ - Rebuild mail aliases - name: Create mail owner group - group: + ansible.builtin.group: name: "{{ mail_user }}" gid: "{{ mail_user_gid | default(omit) }}" state: present - name: Create mail owner user - user: + ansible.builtin.user: name: "{{ mail_user }}" uid: "{{ mail_user_uid | default(omit) }}" group: "{{ mail_user }}" @@ -228,7 +228,7 @@ state: present - name: Disable Dovecot system authentication - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/dovecot/conf.d/10-auth.conf" line: "!include auth-system.conf.ext" state: absent @@ -236,7 +236,7 @@ - Restart Dovecot - name: Deploy Dovecot configuration file with overrides - template: + ansible.builtin.template: src: "99-local.conf.j2" dest: "/etc/dovecot/conf.d/99-local.conf" owner: root @@ -246,7 +246,7 @@ - Restart Dovecot - name: Deploy Dovecot configuration file for LDAP look-ups - template: + ansible.builtin.template: src: "dovecot-ldap.conf.ext.j2" dest: "/etc/dovecot/dovecot-ldap.conf.ext" owner: root @@ -256,7 +256,7 @@ - Restart Dovecot - name: Deploy Postifx master process configuration - template: + ansible.builtin.template: src: "master.cf.j2" dest: "/etc/postfix/master.cf" owner: root @@ -266,13 +266,13 @@ - Restart Postfix - name: Enable and start ClamAV database update service (freshclam) - service: + ansible.builtin.service: name: clamav-freshclam state: started enabled: true - name: Check availability of ClamAV database files - stat: + ansible.builtin.stat: path: "{{ item }}" with_items: - /var/lib/clamav/bytecode.cld @@ -283,12 +283,12 @@ - name: Wait for ClamAV database to be available (up to 10 minutes) when: not item.stat.exists with_items: "{{ clamav_db_files.results }}" - wait_for: + ansible.builtin.wait_for: path: "{{ item.item | replace('.cld', '.cvd') }}" timeout: 600 - name: Enable and start ClamAV daemon and milter services - service: + ansible.builtin.service: name: "{{ item }}" state: started enabled: true @@ -298,24 +298,24 @@ # It may take ClamAV a while to read all the necessary database files etc. - name: Wait for ClamAV to become available (up to 5 minutes) - wait_for: + ansible.builtin.wait_for: path: "/var/run/clamav/clamd.ctl" timeout: 300 - name: Enable and start Postfix service - service: + ansible.builtin.service: name: postfix state: started enabled: true - name: Enable and start Dovecot service - service: + ansible.builtin.service: name: dovecot state: started enabled: true - name: Deploy firewall configuration for mail server - copy: + ansible.builtin.copy: src: "ferm_mail.conf" dest: "/etc/ferm/conf.d/20-mail.conf" owner: root @@ -325,7 +325,7 @@ - Restart ferm - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/php_website/handlers/main.yml b/roles/php_website/handlers/main.yml index 8dae2fd6fcd7ea5173f2e61f1ea32b955134ba09..64ed8c7d39295a6b5016864971d59d5a1bfc1728 100644 --- a/roles/php_website/handlers/main.yml +++ b/roles/php_website/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Dummy handler to suppress Ansible warnings - debug: + ansible.builtin.debug: msg: "This is just a dummy task to suppress the Ansible warning about an empty include." diff --git a/roles/php_website/molecule/default/cleanup.yml b/roles/php_website/molecule/default/cleanup.yml index c99ee79c29bc84b49f955fbcdf8734cda064bc64..32ba90b5c0f67eede47dee009ed76de8acd3ea27 100644 --- a/roles/php_website/molecule/default/cleanup.yml +++ b/roles/php_website/molecule/default/cleanup.yml @@ -7,7 +7,7 @@ tasks: - name: Remove X.509 material - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: diff --git a/roles/php_website/molecule/default/converge.yml b/roles/php_website/molecule/default/converge.yml index 281a31735ae19720b7467fa2524f292fe2878c33..c5567a9a36868757aeba2b3ae4e53ba37190625d 100644 --- a/roles/php_website/molecule/default/converge.yml +++ b/roles/php_website/molecule/default/converge.yml @@ -57,7 +57,7 @@ tasks: # parameters-mandatory application - name: Set-up directory where PHP files are hosted at - file: + ansible.builtin.file: path: /var/www/parameters-mandatory/htdocs state: directory owner: admin-parameters-mandatory @@ -65,7 +65,7 @@ mode: "0750" - name: Deploy a couple of PHP pages for testing purposes - copy: + ansible.builtin.copy: src: "tests/data/php/mandatory/{{ item }}" dest: "/var/www/parameters-mandatory/htdocs/{{ item }}" owner: admin-parameters-mandatory @@ -77,7 +77,7 @@ # parameters-optional application - name: Set-up directory where PHP files are hosted at - file: + ansible.builtin.file: path: /var/www/parameters-optional.local/htdocs state: directory owner: admin-parameters-optional_local @@ -85,7 +85,7 @@ mode: "0750" - name: Deploy a couple of PHP pages for testing purposes - copy: + ansible.builtin.copy: src: "tests/data/php/optional/{{ item }}" dest: "/var/www/parameters-optional.local/htdocs/{{ item }}" owner: admin-parameters-optional_local diff --git a/roles/php_website/molecule/default/prepare.yml b/roles/php_website/molecule/default/prepare.yml index 020b223c349afcac324b015b6b29228d7f5b7554..1de5e3f8c4bca4e1660e8bdc906fc9495d8afae3 100644 --- a/roles/php_website/molecule/default/prepare.yml +++ b/roles/php_website/molecule/default/prepare.yml @@ -7,13 +7,13 @@ tasks: - name: Initialise CA hierarchy - command: "gimmecert init" + ansible.builtin.command: "gimmecert init" args: creates: ".gimmecert/ca/level1.cert.pem" chdir: "tests/data/" - name: Generate server private keys and certificates - command: + ansible.builtin.command: args: chdir: "tests/data/" creates: ".gimmecert/server/{{ item.name }}.cert.pem" @@ -31,7 +31,7 @@ fqdn: php-website - name: Set-up link to generated X.509 material - file: + ansible.builtin.file: src: ".gimmecert" dest: "tests/data/x509" state: link @@ -43,42 +43,42 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) become: true changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false - name: Set-up /etc/hosts entries - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts line: "{{ ansible_eth0.ipv4.address }} parameters-mandatory parameters-optional.local php-website" - name: Install curl for testing redirects and webpage content - apt: + ansible.builtin.apt: name: curl state: present - name: Install swaks for testing mail forwarding - apt: + ansible.builtin.apt: name: swaks state: present - name: Install Postfix for testing mail forwarding (Exim4 not covered) - apt: + ansible.builtin.apt: name: postfix state: present - name: Install procmail for consistency with mail_server and mail_forwarder roles - apt: + ansible.builtin.apt: name: procmail state: present - name: Update Postfix configuration - lineinfile: + ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: "^{{ item.key }}" line: "{{ item.value }}" @@ -90,7 +90,7 @@ - Restart Postfix - name: Direct all mails from the root account to vagrant - lineinfile: + ansible.builtin.lineinfile: path: /etc/aliases regexp: "^root" line: "root: vagrant" @@ -99,12 +99,12 @@ - Generate aliases database - name: Set-up group for an additional user - group: + ansible.builtin.group: name: user state: present - name: Set-up additional user for testing mail delivery - user: + ansible.builtin.user: name: user group: user shell: /bin/bash @@ -112,11 +112,11 @@ handlers: - name: Restart Postfix - service: + ansible.builtin.service: name: postfix state: restarted - name: Generate aliases database # noqa no-changed-when - command: "/usr/bin/newaliases" + ansible.builtin.command: "/usr/bin/newaliases" # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. diff --git a/roles/php_website/tasks/main.yml b/roles/php_website/tasks/main.yml index 13751868d871a4bd4d35d18b13d8a950754d76c4..79badd10eecaab00605bc0aec986ccaff6d9977e 100644 --- a/roles/php_website/tasks/main.yml +++ b/roles/php_website/tasks/main.yml @@ -1,23 +1,23 @@ --- - name: Create PHP website group - group: + ansible.builtin.group: name: "{{ user }}" gid: "{{ uid | default(omit) }}" state: present - name: Create PHP website admin user - user: + ansible.builtin.user: name: "{{ admin }}" uid: "{{ admin_uid | default(omit) }}" group: "{{ user }}" - shell: /bin/bash + ansible.builtin.shell: /bin/bash createhome: true home: "{{ home }}" state: present - name: Set-up directory for storing user profile configuration files - file: + ansible.builtin.file: path: "{{ home }}/.profile.d" state: directory owner: "{{ admin }}" @@ -25,7 +25,7 @@ mode: "0750" - name: Create PHP website user - user: + ansible.builtin.user: name: "{{ user }}" uid: "{{ uid | default(omit) }}" group: "{{ user }}" @@ -37,10 +37,10 @@ # This is a workaround for a rather stupid bug that Debian seems # uninterested to backport - # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762 - shell: /bin/sh + ansible.builtin.shell: /bin/sh - name: Add nginx user to website group - user: + ansible.builtin.user: name: "www-data" groups: "{{ user }}" append: "yes" @@ -50,7 +50,7 @@ # Ownership set to root so Postfix would not check if correct user owns the # file. - name: Set-up forwarding for mails delivered to local application user/admin - template: + ansible.builtin.template: src: "forward.j2" dest: "{{ home }}/.forward" owner: root @@ -58,12 +58,12 @@ mode: "0640" - name: Install extra packages for website - apt: + ansible.builtin.apt: name: "{{ packages }}" state: present - name: Deploy PHP FPM configuration file for website - template: + ansible.builtin.template: src: "fpm_site.conf.j2" dest: "{{ php_fpm_pool_directory }}/{{ fqdn }}.conf" validate: "{{ php_fpm_binary }} -t -y %s" @@ -74,7 +74,7 @@ - Restart PHP-FPM - name: Deploy nginx TLS private key for website - copy: + ansible.builtin.copy: dest: "/etc/ssl/private/{{ fqdn }}_https.key" content: "{{ https_tls_key }}" owner: root @@ -84,7 +84,7 @@ - Restart nginx - name: Deploy nginx TLS certificate for website - copy: + ansible.builtin.copy: dest: "/etc/ssl/certs/{{ fqdn }}_https.pem" content: "{{ https_tls_certificate }}" owner: root @@ -94,7 +94,7 @@ - Restart nginx - name: Deploy configuration file for checking certificate validity via cron - copy: + ansible.builtin.copy: content: "/etc/ssl/certs/{{ fqdn }}_https.pem" dest: "/etc/check_certificate/{{ fqdn }}_https.conf" owner: root @@ -102,7 +102,7 @@ mode: "0644" - name: Deploy nginx configuration file for website - template: + ansible.builtin.template: src: "nginx_site.j2" dest: "/etc/nginx/sites-available/{{ fqdn }}" owner: root @@ -113,7 +113,7 @@ - Restart nginx - name: Enable website - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/{{ fqdn }}" dest: "/etc/nginx/sites-enabled/{{ fqdn }}" state: link @@ -121,7 +121,7 @@ - Restart nginx - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/preseed/handlers/main.yml b/roles/preseed/handlers/main.yml index 8dae2fd6fcd7ea5173f2e61f1ea32b955134ba09..64ed8c7d39295a6b5016864971d59d5a1bfc1728 100644 --- a/roles/preseed/handlers/main.yml +++ b/roles/preseed/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Dummy handler to suppress Ansible warnings - debug: + ansible.builtin.debug: msg: "This is just a dummy task to suppress the Ansible warning about an empty include." diff --git a/roles/preseed/molecule/default/prepare.yml b/roles/preseed/molecule/default/prepare.yml index eefd77c3d02929d5fe3bed6cc81072fdb26e7060..ad4260a270d56a9bbe635a177383b7e91432684d 100644 --- a/roles/preseed/molecule/default/prepare.yml +++ b/roles/preseed/molecule/default/prepare.yml @@ -7,10 +7,10 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false diff --git a/roles/preseed/tasks/main.yml b/roles/preseed/tasks/main.yml index a46d16b73e4949bb767031ecbe6e4821162146a3..7be8ddb2c805deab40f98d645f17b9d2becc4d38 100644 --- a/roles/preseed/tasks/main.yml +++ b/roles/preseed/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: Create directory for storing preseed configurations - file: + ansible.builtin.file: path: "{{ preseed_directory }}" mode: "0750" state: directory - name: Create preseed configuration file - template: + ansible.builtin.template: src: "preseed.cfg.j2" dest: "{{ preseed_directory }}/{{ item }}.cfg" mode: "0640" @@ -15,7 +15,7 @@ with_items: "{{ groups['all'] }}" - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/web_server/handlers/main.yml b/roles/web_server/handlers/main.yml index eb37ccbd5a810918ddcdfcb5a4855edb318ab49f..dc6065c4d957ecc9c6ed9884c4d8893ae14c0cd0 100644 --- a/roles/web_server/handlers/main.yml +++ b/roles/web_server/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: Reload systemd - systemd: + ansible.builtin.systemd: daemon_reload: true - name: Restart nginx - service: + ansible.builtin.service: name: nginx state: restarted - name: Restart PHP-FPM - service: + ansible.builtin.service: name: "{{ php_fpm_service_name }}" state: restarted diff --git a/roles/web_server/molecule/default/cleanup.yml b/roles/web_server/molecule/default/cleanup.yml index c99ee79c29bc84b49f955fbcdf8734cda064bc64..32ba90b5c0f67eede47dee009ed76de8acd3ea27 100644 --- a/roles/web_server/molecule/default/cleanup.yml +++ b/roles/web_server/molecule/default/cleanup.yml @@ -7,7 +7,7 @@ tasks: - name: Remove X.509 material - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: diff --git a/roles/web_server/molecule/default/prepare.yml b/roles/web_server/molecule/default/prepare.yml index 4e4b727b882399cd82335e66f3f884a9d0bc03e8..a2786386705b904507e654d59e321465baf3de2d 100644 --- a/roles/web_server/molecule/default/prepare.yml +++ b/roles/web_server/molecule/default/prepare.yml @@ -7,13 +7,13 @@ tasks: - name: Initialise CA hierarchy - command: "gimmecert init" + ansible.builtin.command: "gimmecert init" args: creates: ".gimmecert/ca/level1.cert.pem" chdir: "tests/data/" - name: Generate server private keys and certificates - command: + ansible.builtin.command: args: chdir: "tests/data/" creates: ".gimmecert/server/{{ item.name }}.cert.pem" @@ -29,7 +29,7 @@ fqdn: parameters-optional-bookworm - name: Set-up link to generated X.509 material - file: + ansible.builtin.file: src: ".gimmecert" dest: "tests/data/x509" state: link @@ -41,16 +41,16 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false - name: Install tools for testing - apt: + ansible.builtin.apt: name: - gnutls-bin - nmap @@ -62,7 +62,7 @@ tasks: - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter - blockinfile: + ansible.builtin.blockinfile: path: "/etc/ssl/openssl.cnf" block: | [openssl_init] @@ -85,7 +85,7 @@ tasks: - name: Set-up the hosts file - lineinfile: + ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" @@ -99,7 +99,7 @@ 192.168.56.22: "parameters-optional-bookworm" - name: Install curl for testing redirects and webpage content - apt: + ansible.builtin.apt: name: curl state: present @@ -109,17 +109,17 @@ tasks: - name: Install tool for testing TCP connectivity - apt: + ansible.builtin.apt: name: hping3 state: present - name: Install console-based web browser for interactive testing - apt: + ansible.builtin.apt: name: lynx state: present - name: Deploy CA certificate - copy: + ansible.builtin.copy: src: tests/data/x509/ca/level1.cert.pem dest: /usr/local/share/ca-certificates/testca.crt owner: root @@ -131,6 +131,6 @@ handlers: - name: Update CA certificate cache # noqa no-changed-when - command: /usr/sbin/update-ca-certificates --fresh + ansible.builtin.command: /usr/sbin/update-ca-certificates --fresh # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. diff --git a/roles/web_server/tasks/main.yml b/roles/web_server/tasks/main.yml index 5231de98a857f8f8c810a65b7cde8a08adfd63cc..1f33b0473f3bacf13d42f38867de597f47185f85 100644 --- a/roles/web_server/tasks/main.yml +++ b/roles/web_server/tasks/main.yml @@ -1,12 +1,12 @@ --- - name: Install nginx - apt: + ansible.builtin.apt: name: nginx state: present - name: Allow nginx user to traverse the directory with TLS private keys - user: + ansible.builtin.user: name: www-data append: true groups: ssl-cert @@ -14,7 +14,7 @@ - Restart nginx - name: Deploy nginx TLS private key - copy: + ansible.builtin.copy: dest: "/etc/ssl/private/{{ ansible_fqdn }}_https.key" content: "{{ default_https_tls_key }}" mode: "0640" @@ -24,7 +24,7 @@ - Restart nginx - name: Deploy nginx TLS certificate - copy: + ansible.builtin.copy: dest: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" content: "{{ default_https_tls_certificate }}" mode: "0644" @@ -34,7 +34,7 @@ - Restart nginx - name: Generate the HTTPS server Diffie-Hellman parameter - openssl_dhparam: + community.crypto.openssl_dhparam: owner: root group: root mode: "0640" @@ -44,7 +44,7 @@ - Restart nginx - name: Deploy configuration file for checking certificate validity via cron - copy: + ansible.builtin.copy: content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf" owner: root @@ -52,7 +52,7 @@ mode: "0644" - name: Remove TLS protocol configuration from the main configuration file - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/nginx/nginx.conf" backrefs: true regexp: "^\\s*ssl_protocols" @@ -61,7 +61,7 @@ - Restart nginx - name: Harden TLS by allowing only TLSv1.2 and PFS ciphers - template: + ansible.builtin.template: dest: "/etc/nginx/conf.d/tls.conf" src: "tls.conf.j2" owner: "root" @@ -71,7 +71,7 @@ - Restart nginx - name: Deploy script for verification of nginx vhost configurations - copy: + ansible.builtin.copy: src: "nginx_verify_site.sh" dest: "/usr/local/bin/nginx_verify_site.sh" owner: root @@ -79,7 +79,7 @@ mode: "0755" - name: Deploy default vhost configuration - template: + ansible.builtin.template: src: "nginx-default.j2" dest: "/etc/nginx/sites-available/default" owner: root @@ -90,7 +90,7 @@ - Restart nginx - name: Enable default website - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/default" dest: "/etc/nginx/sites-enabled/default" state: link @@ -98,7 +98,7 @@ - Restart nginx - name: Deploy firewall configuration for web server - copy: + ansible.builtin.copy: src: "ferm_http.conf" dest: "/etc/ferm/conf.d/30-web.conf" owner: root @@ -108,7 +108,7 @@ - Restart ferm - name: Remove the default Debian html files - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -116,7 +116,7 @@ - /var/www/html/ - name: Create directory for storing the default website page - file: + ansible.builtin.file: path: "/var/www/default/" state: directory owner: root @@ -124,7 +124,7 @@ mode: "0750" - name: Deploy the default index.html - template: + ansible.builtin.template: src: "index.html.j2" dest: /var/www/default/index.html owner: root @@ -132,13 +132,13 @@ mode: "0640" - name: Enable nginx service - service: + ansible.builtin.service: name: nginx enabled: true state: started - name: Install base packages for Python web applications - apt: + ansible.builtin.apt: name: - python3-setuptools - virtualenv @@ -146,12 +146,12 @@ state: present - name: Install base packages for PHP web applications - apt: + ansible.builtin.apt: name: "{{ php_fpm_package_name }}" state: present - name: Create directories for storing per-site socket files - file: + ansible.builtin.file: path: "/run/{{ item }}" state: directory owner: root @@ -162,7 +162,7 @@ - php - name: Create directories for storing per-site socket files on boot - copy: + ansible.builtin.copy: content: "d /run/{{ item.socket_dir }}/ 0750 root www-data - -" dest: "/etc/tmpfiles.d/{{ item.tmpfiles_d }}" owner: root @@ -175,7 +175,7 @@ tmpfiles_d: "{{ php_fpm_service_name }}.conf" - name: Create directory for storing PHP-FPM service configuration overrides - file: + ansible.builtin.file: path: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/" state: directory owner: root @@ -183,7 +183,7 @@ mode: "0755" - name: Configure PHP-FPM service to run with umask 0007 - copy: + ansible.builtin.copy: src: "php_fpm_umask.conf" dest: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/umask.conf" owner: root @@ -194,18 +194,18 @@ - Restart PHP-FPM - name: Enable service used for running PHP web applications - service: + ansible.builtin.service: name: "{{ php_fpm_service_name }}" enabled: true state: started - name: Read timezone on server - slurp: + ansible.builtin.slurp: src: "/etc/timezone" register: server_timezone - name: Configure timezone for PHP - template: + ansible.builtin.template: src: "php_timezone.ini.j2" dest: "{{ item }}/30-timezone.ini" owner: root @@ -218,7 +218,7 @@ - Restart PHP-FPM - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/wsgi_website/handlers/main.yml b/roles/wsgi_website/handlers/main.yml index 85cf33f3ed06ea1e3d29e3b6013a820062f21df3..e11ee2361e866cbb0a26495279cd53b13f3a0a9b 100644 --- a/roles/wsgi_website/handlers/main.yml +++ b/roles/wsgi_website/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Restart WSGI services - service: + ansible.builtin.service: name: "{{ item }}" state: restarted with_items: "{{ wsgi_services_to_restart }}" diff --git a/roles/wsgi_website/molecule/default/cleanup.yml b/roles/wsgi_website/molecule/default/cleanup.yml index c99ee79c29bc84b49f955fbcdf8734cda064bc64..32ba90b5c0f67eede47dee009ed76de8acd3ea27 100644 --- a/roles/wsgi_website/molecule/default/cleanup.yml +++ b/roles/wsgi_website/molecule/default/cleanup.yml @@ -7,7 +7,7 @@ tasks: - name: Remove X.509 material - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: diff --git a/roles/wsgi_website/molecule/default/converge.yml b/roles/wsgi_website/molecule/default/converge.yml index 1ecfd890eee621f7c78902930f70da3f9f0b21f4..b9087f4851f1313737980f4e82aa4512a3793652 100644 --- a/roles/wsgi_website/molecule/default/converge.yml +++ b/roles/wsgi_website/molecule/default/converge.yml @@ -97,7 +97,7 @@ tasks: # parameters-mandatory application - name: Set-up directories where application files are hosted at - file: + ansible.builtin.file: path: "/var/www/parameters-mandatory/{{ item }}" state: directory owner: admin-parameters-mandatory @@ -108,7 +108,7 @@ - htdocs/media - code - name: Deploy WSGI application - copy: + ansible.builtin.copy: src: "tests/data/python/wsgi/testapp.py" dest: "/var/www/parameters-mandatory/code/testapp.py" owner: admin-parameters-mandatory @@ -117,14 +117,14 @@ notify: - Restart parameters-mandatory - name: Deploy a static file - copy: + ansible.builtin.copy: src: "tests/data/static_file.txt" dest: "/var/www/parameters-mandatory/htdocs/static/static_file.txt" owner: admin-parameters-mandatory group: web-parameters-mandatory mode: "0640" - name: Deploy a media file - copy: + ansible.builtin.copy: src: "tests/data/media_file.txt" dest: "/var/www/parameters-mandatory/htdocs/media/media_file.txt" owner: admin-parameters-mandatory @@ -133,7 +133,7 @@ # parameters-optional application - name: Set-up directories where application files are hosted at - file: + ansible.builtin.file: path: "/var/www/parameters-optional.local/{{ item }}" state: directory owner: admin-parameters-optional_local @@ -144,7 +144,7 @@ - htdocs/media - code - name: Deploy WSGI application - copy: + ansible.builtin.copy: src: "tests/data/python/wsgi/testapp.py" dest: "/var/www/parameters-optional.local/code/testapp.py" owner: admin-parameters-optional_local @@ -153,14 +153,14 @@ notify: - Restart parameters-optional.local - name: Deploy a static file - copy: + ansible.builtin.copy: src: "tests/data/static_file.txt" dest: "/var/www/parameters-optional.local/htdocs/static/static_file.txt" owner: admin-parameters-optional_local group: web-parameters-optional_local mode: "0640" - name: Deploy a media file - copy: + ansible.builtin.copy: src: "tests/data/media_file.txt" dest: "/var/www/parameters-optional.local/htdocs/media/media_file.txt" owner: admin-parameters-optional_local @@ -169,7 +169,7 @@ # parameters-paste-req application - name: Set-up directories where application files are hosted at - file: + ansible.builtin.file: path: "/var/www/parameters-paste-req/{{ item }}" state: directory owner: admin-parameters-paste-req @@ -180,7 +180,7 @@ - htdocs/media - code - name: Deploy WSGI application - copy: + ansible.builtin.copy: src: "tests/data/python/paste/{{ item }}" dest: "/var/www/parameters-paste-req/code/{{ item }}" owner: admin-parameters-paste-req @@ -193,14 +193,14 @@ notify: - Restart parameters-paste-req - name: Deploy a static file - copy: + ansible.builtin.copy: src: "tests/data/static_file.txt" dest: "/var/www/parameters-paste-req/htdocs/static/static_file.txt" owner: admin-parameters-paste-req group: web-parameters-paste-req mode: "0640" - name: Deploy a media file - copy: + ansible.builtin.copy: src: "tests/data/media_file.txt" dest: "/var/www/parameters-paste-req/htdocs/media/media_file.txt" owner: admin-parameters-paste-req @@ -209,14 +209,14 @@ handlers: - name: Restart parameters-mandatory - service: + ansible.builtin.service: name: parameters-mandatory state: restarted - name: Restart parameters-optional.local - service: + ansible.builtin.service: name: parameters-optional.local state: restarted - name: Restart parameters-paste-req - service: + ansible.builtin.service: name: parameters-paste-req state: restarted diff --git a/roles/wsgi_website/molecule/default/prepare.yml b/roles/wsgi_website/molecule/default/prepare.yml index 7112f12c9130fab03c04f342c5a42f006914d07d..e5de092b6fb1b6d2d84afdcd4d6569499bd1a2b2 100644 --- a/roles/wsgi_website/molecule/default/prepare.yml +++ b/roles/wsgi_website/molecule/default/prepare.yml @@ -7,13 +7,13 @@ tasks: - name: Initialise CA hierarchy - command: "gimmecert init" + ansible.builtin.command: "gimmecert init" args: creates: ".gimmecert/ca/level1.cert.pem" chdir: "tests/data/" - name: Generate server private keys and certificates - command: + ansible.builtin.command: args: chdir: "tests/data/" creates: ".gimmecert/server/{{ item.name }}.cert.pem" @@ -33,7 +33,7 @@ fqdn: wsgi-website - name: Set-up link to generated X.509 material - file: + ansible.builtin.file: src: ".gimmecert" dest: "tests/data/x509" state: link @@ -45,16 +45,16 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false - name: Remove the ss utility (see https://github.com/philpep/testinfra/pull/320) - file: + ansible.builtin.file: path: "/bin/ss" state: absent @@ -64,37 +64,37 @@ tasks: - name: Set-up /etc/hosts entries - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts line: "{{ ansible_eth0.ipv4.address }} parameters-mandatory parameters-optional.local parameters-paste-req wsgi-website" - name: Install curl for testing redirects and webpage content - apt: + ansible.builtin.apt: name: curl state: present - name: Install swaks for testing mail forwarding - apt: + ansible.builtin.apt: name: swaks state: present - name: Install net-tools for testing sockets - apt: + ansible.builtin.apt: name: net-tools state: present - name: Install Postfix for testing mail forwarding (Exim4 not covered) - apt: + ansible.builtin.apt: name: postfix state: present - name: Install procmail for consistency with mail_server and mail_forwarder roles - apt: + ansible.builtin.apt: name: procmail state: present - name: Update Postfix configuration - lineinfile: + ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: "^{{ item.key }}" line: "{{ item.value }}" @@ -106,7 +106,7 @@ - Restart Postfix - name: Direct all mails from the root account to vagrant - lineinfile: + ansible.builtin.lineinfile: path: /etc/aliases regexp: "^root" line: "root: vagrant" @@ -115,12 +115,12 @@ - Generate aliases database - name: Set-up group for an additional user - group: + ansible.builtin.group: name: user state: present - name: Set-up additional user for testing mail delivery - user: + ansible.builtin.user: name: user group: user shell: /bin/bash @@ -128,11 +128,11 @@ handlers: - name: Restart Postfix - service: + ansible.builtin.service: name: postfix state: restarted - name: Generate aliases database # noqa no-changed-when - command: "/usr/bin/newaliases" + ansible.builtin.command: "/usr/bin/newaliases" # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. diff --git a/roles/wsgi_website/tasks/main.yml b/roles/wsgi_website/tasks/main.yml index d2d9a8f521a4767f6112386b2a7e8094a7c33ccd..bc3d8493041e42bbf38218b8ecc5ef5e791c310c 100644 --- a/roles/wsgi_website/tasks/main.yml +++ b/roles/wsgi_website/tasks/main.yml @@ -1,23 +1,23 @@ --- - name: Create WSGI website group - group: + ansible.builtin.group: name: "{{ user }}" gid: "{{ uid | default(omit) }}" state: present - name: Create WSGI website admin user - user: + ansible.builtin.user: name: "{{ admin }}" uid: "{{ admin_uid | default(omit) }}" group: "{{ user }}" - shell: /bin/bash + ansible.builtin.shell: /bin/bash createhome: true home: "{{ home }}" state: present - name: Set-up directory for storing user profile configuration files - file: + ansible.builtin.file: path: "{{ home }}/.profile.d" state: directory owner: "{{ admin }}" @@ -25,7 +25,7 @@ mode: "0750" - name: Deploy profile configuration file for auto-activating the virtual environment - copy: + ansible.builtin.copy: src: "profile_virtualenv.sh" dest: "{{ home }}/.profile.d/virtualenv.sh" owner: root @@ -33,7 +33,7 @@ mode: "0640" - name: Deploy profile configuration file for setting environment variables - template: + ansible.builtin.template: src: "environment.sh.j2" dest: "{{ home }}/.profile.d/environment.sh" owner: root @@ -41,7 +41,7 @@ mode: "0640" - name: Create WSGI website user - user: + ansible.builtin.user: name: "{{ user }}" uid: "{{ uid | default(omit) }}" group: "{{ user }}" @@ -53,10 +53,10 @@ # This is a workaround for a rather stupid bug that Debian seems # uninterested to backport - # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762 - shell: /bin/sh + ansible.builtin.shell: /bin/sh - name: Add nginx user to website group - user: + ansible.builtin.user: name: www-data groups: "{{ user }}" append: true @@ -66,7 +66,7 @@ # Ownership set to root so Postfix would not check if correct user owns the # file. - name: Set-up forwarding for mails delivered to local application user/admin - template: + ansible.builtin.template: src: "forward.j2" dest: "{{ home }}/.forward" owner: root @@ -74,7 +74,7 @@ mode: "0640" - name: Install extra packages for website - apt: + ansible.builtin.apt: name: "{{ packages }}" state: present register: install_extra_packages @@ -82,7 +82,7 @@ - Restart WSGI services - name: Retrieve requested Python interpreter version - command: + ansible.builtin.command: argv: - "{{ python_interpreter }}" - "-c" @@ -91,7 +91,7 @@ register: python_interpreter_version - name: Retrieve virtual environment Python interpreter version (if initialised) - command: + ansible.builtin.command: argv: - "{{ home }}/virtualenv/bin/python" - "-c" @@ -102,7 +102,7 @@ register: virtualenv_python_version - name: Retrieve virtual environment prompt - command: + ansible.builtin.command: argv: - "bash" - "-c" @@ -112,7 +112,7 @@ register: current_virtualenv_prompt - name: Remove virtual environment in case of mismatches - file: + ansible.builtin.file: path: "{{ home }}/virtualenv" state: absent when: | @@ -123,7 +123,7 @@ - Restart WSGI services - name: Create directory for storing the Python virtual environment - file: + ansible.builtin.file: path: "{{ home }}/virtualenv" state: directory owner: "{{ admin }}" @@ -131,14 +131,14 @@ mode: "02750" - name: Create Python virtual environment - command: '/usr/bin/virtualenv --python "{{ python_interpreter }}" --prompt "{{ virtualenv_prompt }}" "{{ home }}/virtualenv"' + ansible.builtin.command: '/usr/bin/virtualenv --python "{{ python_interpreter }}" --prompt "{{ virtualenv_prompt }}" "{{ home }}/virtualenv"' args: creates: "{{ home }}/virtualenv/bin/{{ python_interpreter | basename }}" become: true become_user: "{{ admin }}" - name: Configure project directory for the Python virtual environment - template: + ansible.builtin.template: src: "venv_project.j2" dest: "{{ home }}/virtualenv/.project" owner: "{{ admin }}" @@ -146,7 +146,7 @@ mode: "0640" - name: Deploy virtualenv wrapper - template: + ansible.builtin.template: src: "venv_exec.j2" dest: "{{ home }}/virtualenv/bin/exec" owner: "{{ admin }}" @@ -154,7 +154,7 @@ mode: "0750" - name: Set-up directory for storing requirements file for upgrade checks - file: + ansible.builtin.file: path: "{{ pip_check_requirements_upgrades_directory }}/{{ fqdn }}" state: directory owner: root @@ -162,7 +162,7 @@ mode: "0750" - name: Deploy WSGI requirements files for upgrade checks - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "{{ pip_check_requirements_upgrades_directory }}/{{ fqdn }}/{{ item }}" owner: root @@ -173,7 +173,7 @@ - wsgi_requirements.txt - name: Deploy Gunicorn requirements file for installation purposes - template: + ansible.builtin.template: src: "wsgi_requirements.txt.j2" dest: "{{ home }}/.wsgi_requirements.txt" owner: "{{ admin }}" @@ -183,7 +183,7 @@ - name: Install Gunicorn via requirements file become: true become_user: "{{ admin }}" - pip: + ansible.builtin.pip: requirements: "{{ home }}/.wsgi_requirements.txt" state: present virtualenv: "{{ home }}/virtualenv" @@ -194,7 +194,7 @@ - name: Install additional packages in Python virtual environment become: true become_user: "{{ admin }}" - pip: + ansible.builtin.pip: name: "{{ virtualenv_packages }}" state: present virtualenv: "{{ home }}/virtualenv" @@ -204,7 +204,7 @@ - Restart WSGI services - name: Deploy systemd socket configuration for website - template: + ansible.builtin.template: src: "systemd_wsgi_website.socket.j2" dest: "/etc/systemd/system/{{ fqdn }}.socket" owner: root @@ -216,7 +216,7 @@ - Restart WSGI services - name: Deploy systemd service configuration for website - template: + ansible.builtin.template: src: "systemd_wsgi_website.service.j2" dest: "/etc/systemd/system/{{ fqdn }}.service" owner: root @@ -228,13 +228,13 @@ - Restart WSGI services - name: Enable the website service - service: + ansible.builtin.service: name: "{{ fqdn }}" enabled: true state: started - name: Create directory where static files can be served from - file: + ansible.builtin.file: path: "{{ home }}/htdocs/" state: directory owner: "{{ admin }}" @@ -242,7 +242,7 @@ mode: "02750" - name: Deploy nginx TLS private key for website - copy: + ansible.builtin.copy: dest: "/etc/ssl/private/{{ fqdn }}_https.key" content: "{{ https_tls_key }}" owner: root @@ -252,7 +252,7 @@ - Restart nginx - name: Deploy nginx TLS certificate for website - copy: + ansible.builtin.copy: dest: "/etc/ssl/certs/{{ fqdn }}_https.pem" content: "{{ https_tls_certificate }}" owner: root @@ -262,7 +262,7 @@ - Restart nginx - name: Deploy configuration file for checking certificate validity via cron - copy: + ansible.builtin.copy: content: "/etc/ssl/certs/{{ fqdn }}_https.pem" dest: "/etc/check_certificate/{{ fqdn }}_https.conf" owner: root @@ -270,7 +270,7 @@ mode: "0644" - name: Deploy nginx configuration file for website - template: + ansible.builtin.template: src: "nginx_site.j2" dest: "/etc/nginx/sites-available/{{ fqdn }}" owner: root @@ -281,7 +281,7 @@ - Restart nginx - name: Enable nginx website - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/{{ fqdn }}" dest: "/etc/nginx/sites-enabled/{{ fqdn }}" state: link @@ -289,7 +289,7 @@ - Restart nginx - name: Set-up empty list of WSGI services to restart - set_fact: + ansible.builtin.set_fact: wsgi_services_to_restart: [] when: "wsgi_services_to_restart is not defined" tags: @@ -299,7 +299,7 @@ # [no-handler] Tasks that run when changed should likely be handlers # This specific task is used in order to work around inability of Ansible # to provide properly parametrised handlers for reusable roles. - set_fact: + ansible.builtin.set_fact: wsgi_services_to_restart: "{{ wsgi_services_to_restart + [fqdn] }}" when: | fqdn not in wsgi_services_to_restart and @@ -313,7 +313,7 @@ - handlers - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers diff --git a/roles/xmpp_server/handlers/main.yml b/roles/xmpp_server/handlers/main.yml index 979e1c01ae4bc65689edacb90da2eee13524c9a7..2dd44f736f8c7c4f50bfd52dff2a46746f61025c 100644 --- a/roles/xmpp_server/handlers/main.yml +++ b/roles/xmpp_server/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Restart Prosody - service: + ansible.builtin.service: name: prosody state: restarted diff --git a/roles/xmpp_server/molecule/default/cleanup.yml b/roles/xmpp_server/molecule/default/cleanup.yml index c99ee79c29bc84b49f955fbcdf8734cda064bc64..32ba90b5c0f67eede47dee009ed76de8acd3ea27 100644 --- a/roles/xmpp_server/molecule/default/cleanup.yml +++ b/roles/xmpp_server/molecule/default/cleanup.yml @@ -7,7 +7,7 @@ tasks: - name: Remove X.509 material - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: diff --git a/roles/xmpp_server/molecule/default/prepare.yml b/roles/xmpp_server/molecule/default/prepare.yml index 2812c9662ec7594f387b3ebe317f216fe175c96a..7764229376c314fceaaebb366e191d113b220edf 100644 --- a/roles/xmpp_server/molecule/default/prepare.yml +++ b/roles/xmpp_server/molecule/default/prepare.yml @@ -7,13 +7,13 @@ tasks: - name: Initialise CA hierarchy - command: "gimmecert init" + ansible.builtin.command: "gimmecert init" args: creates: ".gimmecert/ca/level1.cert.pem" chdir: "tests/data/" - name: Generate server private keys and certificates - command: + ansible.builtin.command: args: chdir: "tests/data/" creates: ".gimmecert/server/{{ item.name }}.cert.pem" @@ -40,7 +40,7 @@ - conference.domain3 - name: Set-up link to generated X.509 material - file: + ansible.builtin.file: src: ".gimmecert" dest: "tests/data/x509" state: link @@ -52,24 +52,24 @@ tasks: - name: Install python for Ansible - raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) + ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal) become: true changed_when: false - name: Update all caches to avoid errors due to missing remote archives - apt: + ansible.builtin.apt: update_cache: true changed_when: false - name: Install tools for testing - apt: + ansible.builtin.apt: name: - gnutls-bin - nmap state: present - name: Use name provided via CLI when running STARTTLS handshake for XMPP via nmap - replace: + ansible.builtin.replace: path: "/usr/share/nmap/nselib/sslcert.lua" regexp: "host\\.name\\)" replace: "host.targetname)" @@ -80,7 +80,7 @@ tasks: - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter - blockinfile: + ansible.builtin.blockinfile: path: "/etc/ssl/openssl.cnf" block: | [openssl_init] @@ -98,7 +98,7 @@ state: present - name: Set-up the hosts file - lineinfile: + ansible.builtin.lineinfile: path: /etc/hosts regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" @@ -118,12 +118,12 @@ tasks: - name: Install tool for testing TCP connectivity - apt: + ansible.builtin.apt: name: hping3 state: present - name: Deploy CA certificate - copy: + ansible.builtin.copy: src: tests/data/x509/ca/level1.cert.pem dest: /usr/local/share/ca-certificates/testca.crt owner: root @@ -133,28 +133,28 @@ - Update CA certificate cache - name: Install console-based XMPP client (for interactive testing) - apt: + ansible.builtin.apt: name: mcabber state: present - name: Install console-based XMPP tool (for non-interactive testing) - apt: + ansible.builtin.apt: name: go-sendxmpp state: present - name: Create dedicated group for testing - group: + ansible.builtin.group: name: user state: present - name: Create dedicated user for testing - user: + ansible.builtin.user: name: user group: user - shell: /bin/bash + ansible.builtin.shell: /bin/bash - name: Deploy mcabber configuration files - template: + ansible.builtin.template: src: tests/data/mcabber.cfg.j2 dest: "~user/{{ item.jid }}.cfg" owner: user @@ -185,7 +185,7 @@ handlers: - name: Update CA certificate cache # noqa no-changed-when - command: /usr/sbin/update-ca-certificates --fresh + ansible.builtin.command: /usr/sbin/update-ca-certificates --fresh # [no-changed-when] Commands should not change things if nothing needs doing # Does not matter in test prepare stage. @@ -202,7 +202,7 @@ tasks: - name: Create LDAP accounts for testing - ldap_entry: + community.general.ldap_entry: dn: "{{ item.dn }}" objectClass: "{{ item.objectClass }}" attributes: "{{ item.attributes }}" @@ -268,14 +268,14 @@ tasks: - name: Install console-based XMPP tool (for non-interactive testing) - apt: + ansible.builtin.apt: name: "{{ sendxmpp_package }}" state: present vars: sendxmpp_package: "go-sendxmpp" - name: Deploy small Lua script for listing the enabled modules in Prosody - copy: + ansible.builtin.copy: src: list_prosody_modules.lua dest: "/usr/local/bin/list_prosody_modules.lua" owner: root diff --git a/roles/xmpp_server/tasks/main.yml b/roles/xmpp_server/tasks/main.yml index 6f344d9686dd1c5a062a5e845cd6eb85d11796ab..9eb00c7bdccdbdd96c02f1d7c0adb504ff73867c 100644 --- a/roles/xmpp_server/tasks/main.yml +++ b/roles/xmpp_server/tasks/main.yml @@ -4,7 +4,7 @@ # =================== - name: Set-up the Debian backports repository - template: + ansible.builtin.template: src: backports.list.j2 dest: /etc/apt/sources.list.d/backports.list owner: root @@ -18,12 +18,12 @@ # change when changing distro version etc), we have to use # template instead, but this also means we need to trigger the apt # cache reload by hand. - apt: + ansible.builtin.apt: update_cache: true when: backports_repository_configuration.changed - name: Install additional Prosody dependencies - apt: + ansible.builtin.apt: name: - lua-ldap - prosody-modules @@ -32,20 +32,20 @@ - Restart Prosody - name: Install Prosody - apt: + ansible.builtin.apt: name: prosody state: present notify: - Restart Prosody - name: Allow Prosody user to traverse the directory with TLS private keys - user: + ansible.builtin.user: name: prosody append: true groups: ssl-cert - name: Deploy XMPP TLS private key - copy: + ansible.builtin.copy: dest: "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key" content: "{{ xmpp_tls_key }}" owner: root @@ -55,7 +55,7 @@ - Restart Prosody - name: Deploy XMPP TLS certificate - copy: + ansible.builtin.copy: dest: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem" content: "{{ xmpp_tls_certificate }}" owner: root @@ -65,7 +65,7 @@ - Restart Prosody - name: Generate the XMPP server Diffie-Hellman parameter - openssl_dhparam: + community.crypto.openssl_dhparam: owner: root group: prosody mode: "0640" @@ -75,7 +75,7 @@ - Restart Prosody - name: Deploy configuration file for checking certificate validity via cron - copy: + ansible.builtin.copy: content: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem" dest: "/etc/check_certificate/{{ ansible_fqdn }}_xmpp.conf" owner: root @@ -83,7 +83,7 @@ mode: "0644" - name: Deploy script for validating Prosody certificate - copy: + ansible.builtin.copy: src: "check_prosody_certificate.sh" dest: "/usr/local/bin/check_prosody_certificate.sh" owner: root @@ -91,7 +91,7 @@ mode: "0755" - name: Set-up crontab task that runs the Prosody certificate checker script once a day - copy: + ansible.builtin.copy: src: "cron_check_prosody_certificate" dest: "/etc/cron.d/check_prosody_certificate" owner: root @@ -99,7 +99,7 @@ mode: "0644" - name: Deploy LDAP client configuration (for validating LDAP server certificate) - copy: + ansible.builtin.copy: src: prosody_ldaprc dest: "/var/lib/prosody/.ldaprc" owner: root @@ -109,7 +109,7 @@ - Restart Prosody - name: Deploy Prosody configuration file - template: + ansible.builtin.template: src: "prosody.cfg.lua.j2" dest: "/etc/prosody/prosody.cfg.lua" owner: root @@ -119,13 +119,13 @@ - Restart Prosody - name: Enable and start Prosody service - service: + ansible.builtin.service: name: prosody state: started enabled: true - name: Deploy firewall configuration for XMPP server - copy: + ansible.builtin.copy: src: "ferm_xmpp.conf" dest: "/etc/ferm/conf.d/30-xmpp.conf" owner: root @@ -135,7 +135,7 @@ - Restart ferm - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers