diff --git a/docs/rolereference.rst b/docs/rolereference.rst index bd7f791184d6ac0b0fc22f51a3496cb4c59beaed..c798c81a9093b79eb8879b81cdf4ffa22fade44f 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -355,7 +355,7 @@ Parameters will have OS-determined GID. **additional_groups** (list, optional, ``[]``) - Comma-separated list of additional groups that a user should belong to. + List of additional groups that a user should belong to. **authorized_keys** (list, optional, ``[]``) List of SSH public keys that should be deployed to user's authorized_keys diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index fbacdcc72c3824bb65973acd10fbd28eb7250c2b..4ff2df9dc2c728850aa372a4962fb9ea52f85519 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -2,15 +2,35 @@ - name: Update PAM configuration command: /usr/sbin/pam-auth-update --package + tags: + # [ANSIBLE0012] Commands should not change things if nothing needs doing + # This task is invoked only if user is very specific about requiring to + # run the handlers manually as a way to bring the system to consistency + # after interrupted runs. + - skip_ansible_lint - name: Restart SSH service: name=ssh state=restarted - name: Update CA certificate cache command: /usr/sbin/update-ca-certificates --fresh + tags: + # [ANSIBLE0012] Commands should not change things if nothing needs doing + # This task is invoked only if user is very specific about requiring to + # run the handlers manually as a way to bring the system to consistency + # after interrupted runs. + - skip_ansible_lint - name: Restart ferm service: name=ferm state=restarted +# @TODO: Replace this with use of systemd module once Ansible is upgraded to +# version 2.2+. - name: Reload systemd - command: systemctl daemon-reload \ No newline at end of file + command: systemctl daemon-reload + tags: + # [ANSIBLE0012] Commands should not change things if nothing needs doing + # This task is invoked only if user is very specific about requiring to + # run the handlers manually as a way to bring the system to consistency + # after interrupted runs. + - skip_ansible_lint diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 83ec48c425af134a0d1ca48a13a506d7a826b756..f08bdae45ccc87b7695569a6749727ed4794a8f7 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -2,7 +2,7 @@ - name: Enable use of proxy for retrieving system packages via apt template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy" - owner=root group=root mode=644 + owner=root group=root mode=0644 when: apt_proxy is defined - name: Disable use of proxy for retrieving system packages via apt @@ -10,7 +10,7 @@ when: apt_proxy is undefined - name: Deploy pam-auth-update configuration file for enabling pam_umask - copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root + copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=0644 owner=root group=root notify: Update PAM configuration - name: Set login UMASK @@ -21,15 +21,15 @@ - name: Deploy bash profile configuration for fancier prompts template: src="bash_prompt.sh.j2" dest="/etc/profile.d/bash_prompt.sh" - owner=root group=root mode=644 + owner=root group=root mode=0644 - name: Deploy profile configuration that allows for user-specific profile.d files copy: src="user_profile_d.sh" dest="/etc/profile.d/z99-user_profile_d.sh" - owner=root group=root mode=644 + owner=root group=root mode=0644 - name: Replace default and skeleton bashrc copy: src="{{ item.key }}" dest="{{ item.value }}" - owner=root group=root mode=644 + owner=root group=root mode=0644 with_dict: skel_bashrc: "/etc/skel/.bashrc" bashrc: "/etc/bash.bashrc" @@ -40,7 +40,7 @@ - name: Replace stock bashrc for root account with skeleton one copy: src="skel_bashrc" dest="/root/.bashrc" - owner=root group=root mode=640 + owner=root group=root mode=0640 when: root_bashrc_stat.stat.checksum == "b737c392222ddac2271cc8d0d8cc0308d08cf458" - name: Install sudo @@ -62,7 +62,7 @@ - name: Disable electric-indent-mode for Emacs by default for all users copy: src="01disable-electric-indent-mode.el" dest="/etc/emacs/site-start.d/01disable-electric-indent-mode.el" - owner=root group=root mode=644 + owner=root group=root mode=0644 when: "'emacs24' in common_packages or 'emacs24-nox' in common_packages" - name: Set-up operating system groups @@ -96,24 +96,30 @@ - Restart SSH - name: Deploy CA certificates - copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=644 owner=root group=root + copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=0644 owner=root group=root with_dict: "{{ ca_certificates }}" register: deploy_ca_certificates_result - name: Update CA certificate cache command: /usr/sbin/update-ca-certificates --fresh when: deploy_ca_certificates_result.changed + tags: + # [ANSIBLE0016] Tasks that run when changed should likely be handlers + # CA certificate cache must be updated immediatelly in order for + # applications depending on deployed CA certificates can use them to + # validate server/client certificates. + - skip_ansible_lint - name: Install ferm (for firewall management) apt: name=ferm state=installed - name: Configure ferm init script coniguration file - copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644 + copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=0644 notify: - Restart ferm - name: Create directory for storing ferm configuration files - file: dest="/etc/ferm/conf.d/" mode=750 state=directory owner=root group=root + file: dest="/etc/ferm/conf.d/" mode=0750 state=directory owner=root group=root - name: Deploy main ferm configuration file copy: src=ferm.conf dest=/etc/ferm/ferm.conf @@ -122,7 +128,7 @@ - name: Deploy ferm base rules template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf - owner=root group=root mode=640 + owner=root group=root mode=0640 notify: - Restart ferm @@ -136,11 +142,11 @@ - name: Deploy script for validating server certificates copy: src="check_certificate.sh" dest="/usr/local/bin/check_certificate.sh" - owner=root group=root mode=755 + owner=root group=root mode=0755 - name: Set-up directory for holding configuration for certificate validation script file: path="/etc/check_certificate" state="directory" - owner="root" group="root" mode="755" + owner="root" group="root" mode="0755" - name: Deploy crontab entry for checking certificates cron: name="check_certificate" cron_file="check_certificate" hour=0 minute=0 job="/usr/local/bin/check_certificate.sh expiration" @@ -165,34 +171,43 @@ owner="pipreqcheck" group="pipreqcheck" mode="0750" - name: Create Python virtual environment used for installing/running pip-tools + become: yes become_user: "pipreqcheck" command: /usr/bin/virtualenv --prompt "(pipreqcheck)" "/var/lib/pipreqcheck/virtualenv" creates="/var/lib/pipreqcheck/virtualenv/bin/activate" + tags: + # [ANSIBLE0012] Commands should not change things if nothing needs doing + # Command will not run if the virtualenv has already been created, + # therefore the warning is a false positive. + - skip_ansible_lint - name: Create directory for storing pip requirements files file: path="/etc/pip_check_requirements_upgrades" state="directory" - owner="root" group="pipreqcheck" mode=750 + owner="root" group="pipreqcheck" mode=0750 - name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself file: path="/etc/pip_check_requirements_upgrades/pipreqcheck" state="directory" - owner="root" group="pipreqcheck" mode=750 + owner="root" group="pipreqcheck" mode=0750 - name: Deploy .in file for pip requirements in pip-tools virtual environment copy: src="pipreqcheck_requirements.in" dest="/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in" - owner="root" group="pipreqcheck" mode=640 + owner="root" group="pipreqcheck" mode=0640 - name: Deploy requirements file for pipreqcheck virtual environment template: src="pipreqcheck_requirements.txt.j2" dest="/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" - owner="root" group="pipreqcheck" mode=640 + owner="root" group="pipreqcheck" mode=0640 - name: Install latest pip in pip-tools virtual environment + become: yes become_user: "pipreqcheck" - pip: name=pip state=latest virtualenv="~pipreqcheck/virtualenv" + pip: name="pip>=9.0.0,<10.0.0" virtualenv="~pipreqcheck/virtualenv" - name: Install pip-tools if not present + become: yes become_user: "pipreqcheck" pip: name=pip-tools state=present virtualenv="~pipreqcheck/virtualenv" - name: Synchronise pip-tools virtual environment via deployed requirements file + become: yes become_user: "pipreqcheck" shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" args: @@ -202,11 +217,11 @@ - name: Deploy script for checking available upgrades copy: src="pip_check_requirements_upgrades.sh" dest="/usr/local/bin/pip_check_requirements_upgrades.sh" - owner=root group=root mode=755 + owner=root group=root mode=0755 - name: Deploy crontab entry for checking pip requirements copy: src="cron_check_pip_requirements" dest="/etc/cron.d/check_pip_requirements" - owner="root" group="root" mode=644 + owner="root" group="root" mode=0644 - name: Explicitly run all handlers include: ../handlers/main.yml