majic-ansible-roles Changeset

Changeset - 0be45939fc2a

Parent rev.

Child rev.

[Not reviewed]

0 4 0

Branko Majic (branko) - 15 months ago 2024-09-03 15:42:49
branko@majic.rs

MAR-218: Fix erroneous replacement of shell attribute (from FQCN fixes).

4 files changed with 6 insertions and 6 deletions:

roles/common/tasks/main.yml

roles/php_website/tasks/main.yml

roles/wsgi_website/tasks/main.yml

roles/xmpp_server/molecule/default/prepare.yml

0 comments (0 inline, 0 general)

roles/common/tasks/main.yml

➞

Show inline comments

 ---
 # Deprecation
 # ===========
 - name: Drop deprecated directories and files
   ansible.builtin.file:
     path: "{{ item }}"
     state: absent
   with_items:
     - "/etc/pip_check_requirements_upgrades-py3"
     - "/var/lib/pipreqcheck/virtualenv-py3"
     - "/etc/cron.d/check_pip_requirements-py3"
 - name: Drop deprecated packages
   ansible.builtin.apt:
     name:
       - ntp
       - ntpdate
     state: absent
     purge: true
 # Main implementation
 # ===================
 - name: Enable use of proxy for retrieving system packages via apt
   ansible.builtin.template:
     src: "apt_proxy.j2"
     dest: "/etc/apt/apt.conf.d/00proxy"
     owner: root
     group: root
     mode: "0644"
   when: apt_proxy is defined
 - name: Disable use of proxy for retrieving system packages via apt
   ansible.builtin.file:
     path: "/etc/apt/apt.conf.d/00proxy"
     state: absent
   when: apt_proxy is undefined
 - name: Deploy pam-auth-update configuration file for enabling pam_umask
   ansible.builtin.copy:
     src: "pam_umask"
     dest: "/usr/share/pam-configs/umask"
     owner: root
     group: root
     mode: "0644"
   register: pam_umask
   notify:
     - Update PAM configuration
 - name: Update PAM configuration  # noqa no-handler
   # [no-handler] Tasks that run when changed should likely be handlers
   #   In order to have consistent behaviour during the first and
   #   subsequent playbook runs, make sure the PAM configuration is
   #   updated immediatelly. This way any files created by commands etc
   #   should end-up with correct permissions straight away.
   ansible.builtin.command: "/usr/sbin/pam-auth-update --package"
   when: pam_umask.changed
   changed_when: true  # Always results in change due to task logic.
 - name: Set login UMASK
   ansible.builtin.lineinfile:
     dest: "/etc/login.defs"
     state: present
     backrefs: true
     regexp: '^UMASK(\s+)'
     line: 'UMASK\g<1>027'
 - name: Set home directory mask
   ansible.builtin.lineinfile:
     dest: "/etc/adduser.conf"
     state: present
     backrefs: true
     regexp: '^\s*#?\s*DIR_MODE='
     line: 'DIR_MODE=0750'
 - name: Deploy bash profile configuration for fancier prompts
   ansible.builtin.template:
     src: "bash_prompt.sh.j2"
     dest: "/etc/profile.d/bash_prompt.sh"
     owner: root
     group: root
     mode: "0644"
 - name: Deploy profile configuration that allows for user-specific profile.d files
   ansible.builtin.copy:
     src: "user_profile_d.sh"
     dest: "/etc/profile.d/z99-user_profile_d.sh"
     owner: root
     group: root
     mode: "0644"
 - name: Replace default and skeleton bashrc
   ansible.builtin.copy:
     src: "{{ item.key }}"
     dest: "{{ item.value }}"
     owner: root
     group: root
     mode: "0644"
   with_dict:
     bashrc: "/etc/bash.bashrc"
     skel_bashrc: "/etc/skel/.bashrc"
 - name: Calculate stock checksum for bashrc root account
   ansible.builtin.stat:
     path: "/root/.bashrc"
   register: root_bashrc_stat
 - name: Replace stock bashrc for root account with skeleton one
   ansible.builtin.copy:
     src: "skel_bashrc"
     dest: "/root/.bashrc"
     owner: root
     group: root
     mode: "0640"
   # Checksums: bookworm
   when: |
     root_bashrc_stat.stat.checksum == "1a422a148ad225aa5ba33f8dafd2b7cfcdbd701f"
 - name: Install sudo
   ansible.builtin.apt:
     name: sudo
     state: present
 - name: Install ssl-cert package
   ansible.builtin.apt:
     name: ssl-cert
     state: present
 - name: Install common packages
   ansible.builtin.apt:
     name: "{{ common_packages }}"
     state: "present"
 - name: Disable electric-indent-mode for Emacs by default for all users
   ansible.builtin.copy:
     src: "01disable-electric-indent-mode.el"
     dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el"
     owner: root
     group: root
     mode: "0644"
   when: "['emacs24', 'emacs24-nox', 'emacs25', 'emacs25-nox', 'emacs', 'emacs-nox'] | intersect(common_packages) | length > 0"
 - name: Set-up operating system groups
   ansible.builtin.group:
     name: "{{ item.name }}"
     gid: "{{ item.gid | default(omit) }}"
     state: present
   with_items: "{{ os_groups }}"
 - name: Set-up operating system user groups
   ansible.builtin.group:
     name: "{{ item.name }}"
     gid: "{{ item.uid | default(omit) }}"
     state: present
   with_items: "{{ os_users }}"
 - name: Set-up operating system users
   ansible.builtin.user:
     name: "{{ item.name }}"
     uid: "{{ item.uid | default(omit) }}"
     group: "{{ item.name }}"
     groups: "{{ ','.join(item.additional_groups | default([])) }}"
     append: true
-    ansible.builtin.shell: /bin/bash
     shell: /bin/bash
     state: present
     password: "{{ item.password | default('!') }}"
     update_password: on_create
   with_items: "{{ os_users }}"
 - name: Set-up authorised keys
   ansible.posix.authorized_key:
     user: "{{ item.0.name }}"
     key: "{{ item.1 }}"
   with_subelements:
     - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
     - authorized_keys
 - name: Disable remote logins for root
   ansible.builtin.lineinfile:
     dest: "/etc/ssh/sshd_config"
     state: present
     regexp: "^PermitRootLogin"
     line: "PermitRootLogin no"
   notify:
     - Restart SSH
 - name: Disable remote login authentication via password
   ansible.builtin.lineinfile:
     dest: "/etc/ssh/sshd_config"
     state: present
     regexp: "^PasswordAuthentication"
     line: "PasswordAuthentication no"
   notify:
     - Restart SSH
 - name: Deploy CA certificates
   ansible.builtin.copy:
     content: "{{ item.value }}"
     dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt"
     owner: root
     group: root
     mode: "0644"
   with_dict: "{{ ca_certificates }}"
   register: deploy_ca_certificates_result
 - name: Update CA certificate cache  # noqa no-handler
   # [no-handler] Tasks that run when changed should likely be handlers
   #   CA certificate cache must be updated immediatelly in order for
   #   applications depending on deployed CA certificates can use them to
   #   validate server/client certificates.
   ansible.builtin.command: "/usr/sbin/update-ca-certificates --fresh"
   when: deploy_ca_certificates_result.changed
   changed_when: true  # Always results in change due to task logic.
 - name: Set-up file diversions for custom files that overrride package-provided ones
   ansible.builtin.command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'"
   register: "dpkg_divert"
   changed_when: "'Adding' in dpkg_divert.stdout"
   with_items:
     - "/usr/sbin/ferm"
   notify:
     - Restart ferm
 - name: Deploy the patched ferm binary that disables use of legacy iptables
   ansible.builtin.copy:
     src: ferm_binary
     dest: /usr/sbin/ferm
     owner: root
     group: root
     mode: "0755"
   notify:
     - Restart ferm
 - name: Install ferm (for firewall management)
   ansible.builtin.apt:
     name: ferm
     state: present
 - name: Configure ferm init script coniguration file
   ansible.builtin.copy:
     src: "ferm_default"
     dest: "/etc/default/ferm"
     owner: root
     group: root
     mode: "0644"
   notify:
     - Restart ferm
 - name: Create directory for storing ferm configuration files
   ansible.builtin.file:
     dest: "/etc/ferm/conf.d/"
     state: directory
     owner: root
     group: root
     mode: "0750"
 - name: Deploy main ferm configuration file
   ansible.builtin.copy:
     src: "ferm.conf"
     dest: "/etc/ferm/ferm.conf"
     owner: root
     group: root
     mode: "0640"
   notify:
     - Restart ferm
 - name: Verify maintenance_allowed_sources parameter
   ansible.builtin.fail:
     msg: "Items in maintenance_allowed_sources must IPv4/IPv6 addresses or subnets: {{ item }}"
   when: "not (item is ansible.utils.ipv4_address or item is ansible.utils.ipv6_address)"
   with_items: "{{ maintenance_allowed_sources }}"
 - name: Deploy ferm base rules
   ansible.builtin.template:
     src: "00-base.conf.j2"
     dest: "/etc/ferm/conf.d/00-base.conf"
     owner: root
     group: root
     mode: "0640"
   notify:
     - Restart ferm
 - name: Enable and start ferm
   ansible.builtin.service:
     name: ferm
     state: started
     enabled: true
 - name: Deploy script for flushing legacy iptables rules
   ansible.builtin.copy:
     src: "legacy_iptables_rules.sh"
     dest: "/usr/local/sbin/drop_legacy_iptables_rules.sh"
     owner: root
     group: root
     mode: "0755"
 - name: Drop legacy iptables rules
   ansible.builtin.command: "/usr/local/sbin/drop_legacy_iptables_rules.sh remove"
   register: legacy_iptables_rules
   changed_when: "'Removed legacy iptables for families' in legacy_iptables_rules.stdout"
   notify:
     - Restart ferm
 - name: Deploy script for validating server certificates
   ansible.builtin.copy:
     src: "check_certificate.sh"
     dest: "/usr/local/bin/check_certificate.sh"
     owner: root
     group: root
     mode: "0755"
 - name: Set-up directory for holding configuration for certificate validation script
   ansible.builtin.file:
     path: "/etc/check_certificate"
     state: "directory"
     owner: root
     group: root
     mode: "0755"
 - name: Deploy crontab entry for checking certificates
   ansible.builtin.cron:
     name: "check_certificate"
     cron_file: "check_certificate"
     hour: "0"
     minute: "0"
     job: "/usr/local/bin/check_certificate.sh -q expiration"
     state: present
     user: nobody
 - name: Install apticron (for checking available upgrades)
   ansible.builtin.apt:
     name: apticron
     state: present
 # It would be too much hassle to detect changed state, so just ignore it.
 - name: Preventively run apticron to avoid issues with locking
   ansible.builtin.command: /usr/sbin/apticron --cron
   changed_when: false
 # Implementation for checking pip requirements files via via pip-tools.
 - name: Install packages required for running pip requirements checks
   ansible.builtin.apt:
     name:
       - python3-setuptools
       - virtualenv
     state: present
 - name: Create dedicated group for user running pip requirements checks
   ansible.builtin.group:
     name: "pipreqcheck"
     gid: "{{ pipreqcheck_gid | default(omit) }}"
     state: present
 - name: Create user for running pip requirements checks
   ansible.builtin.user:
     name: "pipreqcheck"
     uid: "{{ pipreqcheck_uid | default(omit) }}"
     group: "pipreqcheck"
     home: "/var/lib/pipreqcheck"
     state: present
 - name: Retrieve system Python interpreter version
   ansible.builtin.command:
     argv:
       - "/usr/bin/python3"
       - "-c"
       - "import sys; print(sys.version.split(' ')[0])"
   changed_when: false
   register: python_interpreter_version
 - name: Retrieve virtual environment Python interpreter version (if initialised)
   ansible.builtin.command:
     argv:
       - "/var/lib/pipreqcheck/virtualenv/bin/python"
       - "-c"
       - "import sys; print(sys.version.split(' ')[0])"
   become: true
   become_user: "pipreqcheck"
   # Virtual environment perhaps does not exist.
   failed_when: false
   changed_when: false
   register: virtualenv_python_version
 - name: Retrieve virtual environment prompt
   ansible.builtin.command:
     argv:
       - "bash"
       - "-c"
       - "source '/var/lib/pipreqcheck/virtualenv/bin/activate'; printenv PS1"
   become: true
   become_user: "pipreqcheck"
   failed_when: false
   changed_when: false
   register: current_virtualenv_prompt
 - name: Remove virtual environment in case of mismatches
   ansible.builtin.file:
     path: "/var/lib/pipreqcheck/virtualenv"
     state: absent
   when: |
     virtualenv_python_version.rc != 0 or
     virtualenv_python_version.stdout.strip() != python_interpreter_version.stdout.strip() or
     current_virtualenv_prompt.stdout != "(pipreqcheck) "
 - name: Create directory for Python virtual environment used for installing/running pip-tools
   ansible.builtin.file:
     path: "{{ item }}"
     state: directory
     owner: pipreqcheck
     group: pipreqcheck
     mode: "0750"
   with_items:
     - "/var/lib/pipreqcheck"
     - "/var/lib/pipreqcheck/virtualenv"
 - name: Create Python virtual environment used for installing/running pip-tools
   ansible.builtin.command: "/usr/bin/virtualenv --python '{{ item.python_path }}' --prompt '{{ item.virtualenv_prompt }}' '{{ item.virtualenv_path }}'"
   args:
     creates: "{{ item.creates }}"
   become: true
   become_user: "pipreqcheck"
   with_items:
     - name: pipreqcheck
       virtualenv_path: "/var/lib/pipreqcheck/virtualenv"
       virtualenv_prompt: "pipreqcheck"
       python_path: "/usr/bin/python3"
       creates: "/var/lib/pipreqcheck/virtualenv/bin/python3"
 - name: Create directory for storing pip requirements files
   ansible.builtin.file:
     path: "{{ item }}"
     state: "directory"
     owner: root
     group: pipreqcheck
     mode: "0750"
   with_items:
     - "/etc/pip_check_requirements_upgrades"
 - name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself
   ansible.builtin.file:
     path: "{{ item }}"
     state: "directory"
     owner: root
     group: pipreqcheck
     mode: "0750"
   with_items:
     - "/etc/pip_check_requirements_upgrades/pipreqcheck"
 - name: Deploy .in file for pip requirements in pip-tools virtual environment
   ansible.builtin.template:
     src: "pipreqcheck_requirements.in.j2"
     dest: "{{ item.path }}"
     owner: root
     group: pipreqcheck
     mode: "0640"
   with_items:
     - path: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in"
       requirements: "{{ pip_check_requirements_in }}"
 - name: Deploy requirements file for pipreqcheck virtual environment
   ansible.builtin.template:
     src: "pipreqcheck_requirements.txt.j2"
     dest: "{{ item.file }}"
     owner: root
     group: pipreqcheck
     mode: "0640"
   with_items:
     - file: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
       requirements: "{{ pip_check_requirements }}"
 - name: Install requirements in the pipreqcheck virtual environment
   ansible.builtin.pip:
     requirements: "{{ item.requirements }}"
     virtualenv: "{{ item.virtualenv }}"
   become: true
   become_user: pipreqcheck
   with_items:
     - virtualenv: "~pipreqcheck/virtualenv"
       requirements: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
 - name: Synchronise pip-tools virtual environment via deployed requirements file
   ansible.builtin.shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
   args:
     executable: /bin/bash
   become: true
   become_user: "pipreqcheck"
   register: pipreqcheck_pip_sync
   changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'"
 - name: Deploy script for checking available upgrades
   ansible.builtin.copy:
     src: "pip_check_requirements_upgrades.sh"
     dest: "/usr/local/bin/pip_check_requirements_upgrades.sh"
     owner: root
     group: root
     mode: "0755"
 - name: Deploy crontab entry for checking pip requirements
   ansible.builtin.copy:
     src: "cron_check_pip_requirements"
     dest: "/etc/cron.d/check_pip_requirements"
     owner: root
     group: root
     mode: "0644"
 - name: Install NTP packages
   ansible.builtin.apt:
     name:
       - ntpsec
       - ntpsec-ntpdate
     state: present
   when: ntp_pools | length > 0
 - name: Remove NTP packages
   ansible.builtin.apt:
     name:
       - ntpsec
       - ntpsec-ntpdate
     state: absent
     purge: true
   when: ntp_pools | length == 0
 - name: Deploy NTP configuration
   ansible.builtin.template:
     src: "ntp.conf.j2"
     dest: "/etc/ntpsec/ntp.conf"
     owner: root
     group: root
     mode: "0644"
   when: ntp_pools | length > 0
   notify:
     - Restart NTP server
 - name: Explicitly run all handlers
   ansible.builtin.include_tasks: ../handlers/main.yml
   when: "run_handlers | default(False) | bool()"
   tags:
     - handlers

roles/php_website/tasks/main.yml

➞

Show inline comments

 ---
 - name: Create PHP website group
   ansible.builtin.group:
     name: "{{ user }}"
     gid: "{{ uid | default(omit) }}"
     state: present
 - name: Create PHP website admin user
   ansible.builtin.user:
     name: "{{ admin }}"
     uid: "{{ admin_uid | default(omit) }}"
     group: "{{ user }}"
-    ansible.builtin.shell: /bin/bash
     shell: /bin/bash
     createhome: true
     home: "{{ home }}"
     state: present
 - name: Set-up directory for storing user profile configuration files
   ansible.builtin.file:
     path: "{{ home }}/.profile.d"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: "0750"
 - name: Create PHP website user
   ansible.builtin.user:
     name: "{{ user }}"
     uid: "{{ uid | default(omit) }}"
     group: "{{ user }}"
     comment: "umask=0007"
     system: true
     createhome: false
     state: present
     home: "{{ home }}"
     # This is a workaround for a rather stupid bug that Debian seems
     # uninterested to backport -
     # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
-    ansible.builtin.shell: /bin/sh
     shell: /bin/sh
 - name: Add nginx user to website group
   ansible.builtin.user:
     name: "www-data"
     groups: "{{ user }}"
     append: "yes"
   notify:
     - Restart nginx
 # Ownership set to root so Postfix would not check if correct user owns the
 # file.
 - name: Set-up forwarding for mails delivered to local application user/admin
   ansible.builtin.template:
     src: "forward.j2"
     dest: "{{ home }}/.forward"
     owner: root
     group: "{{ user }}"
     mode: "0640"
 - name: Install extra packages for website
   ansible.builtin.apt:
     name: "{{ packages }}"
     state: present
 - name: Deploy PHP FPM configuration file for website
   ansible.builtin.template:
     src: "fpm_site.conf.j2"
     dest: "{{ php_fpm_pool_directory }}/{{ fqdn }}.conf"
     validate: "{{ php_fpm_binary }} -t -y %s"
     owner: root
     group: root
     mode: "0640"
   notify:
     - Restart PHP-FPM
 - name: Deploy nginx TLS private key for website
   ansible.builtin.copy:
     dest: "/etc/ssl/private/{{ fqdn }}_https.key"
     content: "{{ https_tls_key }}"
     owner: root
     group: root
     mode: "0640"
   notify:
     - Restart nginx
 - name: Deploy nginx TLS certificate for website
   ansible.builtin.copy:
     dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
     content: "{{ https_tls_certificate }}"
     owner: root
     group: root
     mode: "0644"
   notify:
     - Restart nginx
 - name: Deploy configuration file for checking certificate validity via cron
   ansible.builtin.copy:
     content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
     dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
     owner: root
     group: root
     mode: "0644"
 - name: Deploy nginx configuration file for website
   ansible.builtin.template:
     src: "nginx_site.j2"
     dest: "/etc/nginx/sites-available/{{ fqdn }}"
     owner: root
     group: root
     mode: "0640"
     validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
   notify:
     - Restart nginx
 - name: Enable website
   ansible.builtin.file:
     src: "/etc/nginx/sites-available/{{ fqdn }}"
     dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
     state: link
   notify:
     - Restart nginx
 - name: Explicitly run all handlers
   ansible.builtin.include_tasks: ../handlers/main.yml
   when: "run_handlers | default(False) | bool()"
   tags:
     - handlers

roles/wsgi_website/tasks/main.yml

➞

Show inline comments

 ---
 - name: Create WSGI website group
   ansible.builtin.group:
     name: "{{ user }}"
     gid: "{{ uid | default(omit) }}"
     state: present
 - name: Create WSGI website admin user
   ansible.builtin.user:
     name: "{{ admin }}"
     uid: "{{ admin_uid | default(omit) }}"
     group: "{{ user }}"
-    ansible.builtin.shell: /bin/bash
     shell: /bin/bash
     createhome: true
     home: "{{ home }}"
     state: present
 - name: Set-up directory for storing user profile configuration files
   ansible.builtin.file:
     path: "{{ home }}/.profile.d"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: "0750"
 - name: Deploy profile configuration file for auto-activating the virtual environment
   ansible.builtin.copy:
     src: "profile_virtualenv.sh"
     dest: "{{ home }}/.profile.d/virtualenv.sh"
     owner: root
     group: "{{ user }}"
     mode: "0640"
 - name: Deploy profile configuration file for setting environment variables
   ansible.builtin.template:
     src: "environment.sh.j2"
     dest: "{{ home }}/.profile.d/environment.sh"
     owner: root
     group: "{{ user }}"
     mode: "0640"
 - name: Create WSGI website user
   ansible.builtin.user:
     name: "{{ user }}"
     uid: "{{ uid | default(omit) }}"
     group: "{{ user }}"
     comment: "umask=0007"
     system: true
     createhome: false
     state: present
     home: "{{ home }}"
     # This is a workaround for a rather stupid bug that Debian seems
     # uninterested to backport -
     # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
-    ansible.builtin.shell: /bin/sh
     shell: /bin/sh
 - name: Add nginx user to website group
   ansible.builtin.user:
     name: www-data
     groups: "{{ user }}"
     append: true
   notify:
     - Restart nginx
 # Ownership set to root so Postfix would not check if correct user owns the
 # file.
 - name: Set-up forwarding for mails delivered to local application user/admin
   ansible.builtin.template:
     src: "forward.j2"
     dest: "{{ home }}/.forward"
     owner: root
     group: "{{ user }}"
     mode: "0640"
 - name: Install extra packages for website
   ansible.builtin.apt:
     name: "{{ packages }}"
     state: present
   register: install_extra_packages
   notify:
     - Restart WSGI services
 - name: Retrieve requested Python interpreter version
   ansible.builtin.command:
     argv:
       - "{{ python_interpreter }}"
       - "-c"
       - "import sys; print(sys.version.split(' ')[0])"
   changed_when: false
   register: python_interpreter_version
 - name: Retrieve virtual environment Python interpreter version (if initialised)
   ansible.builtin.command:
     argv:
       - "{{ home }}/virtualenv/bin/python"
       - "-c"
       - "import sys; print(sys.version.split(' ')[0])"
   # Virtual environment perhaps does not exist.
   failed_when: false
   changed_when: false
   register: virtualenv_python_version
 - name: Retrieve virtual environment prompt
   ansible.builtin.command:
     argv:
       - "bash"
       - "-c"
       - "source '{{ home }}/virtualenv/bin/activate'; printenv PS1"
   failed_when: false
   changed_when: false
   register: current_virtualenv_prompt
 - name: Remove virtual environment in case of mismatches
   ansible.builtin.file:
     path: "{{ home }}/virtualenv"
     state: absent
   when: |
     virtualenv_python_version.rc != 0 or
     virtualenv_python_version.stdout.strip() != python_interpreter_version.stdout.strip() or
     current_virtualenv_prompt.stdout != "(" + fqdn + ") "
   notify:
     - Restart WSGI services
 - name: Create directory for storing the Python virtual environment
   ansible.builtin.file:
     path: "{{ home }}/virtualenv"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: "02750"
 - name: Create Python virtual environment
   ansible.builtin.command: '/usr/bin/virtualenv --python "{{ python_interpreter }}" --prompt "{{ virtualenv_prompt }}" "{{ home }}/virtualenv"'
   args:
     creates: "{{ home }}/virtualenv/bin/{{ python_interpreter | basename }}"
   become: true
   become_user: "{{ admin }}"
 - name: Configure project directory for the Python virtual environment
   ansible.builtin.template:
     src: "venv_project.j2"
     dest: "{{ home }}/virtualenv/.project"
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: "0640"
 - name: Deploy virtualenv wrapper
   ansible.builtin.template:
     src: "venv_exec.j2"
     dest: "{{ home }}/virtualenv/bin/exec"
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: "0750"
 - name: Set-up directory for storing requirements file for upgrade checks
   ansible.builtin.file:
     path: "{{ pip_check_requirements_upgrades_directory }}/{{ fqdn }}"
     state: directory
     owner: root
     group: pipreqcheck
     mode: "0750"
 - name: Deploy WSGI requirements files for upgrade checks
   ansible.builtin.template:
     src: "{{ item }}.j2"
     dest: "{{ pip_check_requirements_upgrades_directory }}/{{ fqdn }}/{{ item }}"
     owner: root
     group: pipreqcheck
     mode: "0640"
   with_items:
     - wsgi_requirements.in
     - wsgi_requirements.txt
 - name: Deploy Gunicorn requirements file for installation purposes
   ansible.builtin.template:
     src: "wsgi_requirements.txt.j2"
     dest: "{{ home }}/.wsgi_requirements.txt"
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: "0640"
 - name: Install Gunicorn via requirements file
   become: true
   become_user: "{{ admin }}"
   ansible.builtin.pip:
     requirements: "{{ home }}/.wsgi_requirements.txt"
     state: present
     virtualenv: "{{ home }}/virtualenv"
   register: install_gunicorn_via_requirements
   notify:
     - Restart WSGI services
 - name: Install additional packages in Python virtual environment
   become: true
   become_user: "{{ admin }}"
   ansible.builtin.pip:
     name: "{{ virtualenv_packages }}"
     state: present
     virtualenv: "{{ home }}/virtualenv"
   register: install_additional_packages_in_virtualenv
   when: virtualenv_packages | length > 0
   notify:
     - Restart WSGI services
 - name: Deploy systemd socket configuration for website
   ansible.builtin.template:
     src: "systemd_wsgi_website.socket.j2"
     dest: "/etc/systemd/system/{{ fqdn }}.socket"
     owner: root
     group: root
     mode: "0644"
   register: deploy_systemd_socket_configuration
   notify:
     - Reload systemd
     - Restart WSGI services
 - name: Deploy systemd service configuration for website
   ansible.builtin.template:
     src: "systemd_wsgi_website.service.j2"
     dest: "/etc/systemd/system/{{ fqdn }}.service"
     owner: root
     group: root
     mode: "0644"
   register: deploy_systemd_service_configuration
   notify:
     - Reload systemd
     - Restart WSGI services
 - name: Enable the website service
   ansible.builtin.service:
     name: "{{ fqdn }}"
     enabled: true
     state: started
 - name: Create directory where static files can be served from
   ansible.builtin.file:
     path: "{{ home }}/htdocs/"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: "02750"
 - name: Deploy nginx TLS private key for website
   ansible.builtin.copy:
     dest: "/etc/ssl/private/{{ fqdn }}_https.key"
     content: "{{ https_tls_key }}"
     owner: root
     group: root
     mode: "0640"
   notify:
     - Restart nginx
 - name: Deploy nginx TLS certificate for website
   ansible.builtin.copy:
     dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
     content: "{{ https_tls_certificate }}"
     owner: root
     group: root
     mode: "0644"
   notify:
     - Restart nginx
 - name: Deploy configuration file for checking certificate validity via cron
   ansible.builtin.copy:
     content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
     dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
     owner: root
     group: root
     mode: "0644"
 - name: Deploy nginx configuration file for website
   ansible.builtin.template:
     src: "nginx_site.j2"
     dest: "/etc/nginx/sites-available/{{ fqdn }}"
     owner: root
     group: root
     mode: "0640"
     validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
   notify:
     - Restart nginx
 - name: Enable nginx website
   ansible.builtin.file:
     src: "/etc/nginx/sites-available/{{ fqdn }}"
     dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
     state: link
   notify:
     - Restart nginx
 - name: Set-up empty list of WSGI services to restart
   ansible.builtin.set_fact:
     wsgi_services_to_restart: []
   when: "wsgi_services_to_restart is not defined"
   tags:
     - handlers
 - name: Add service to list of WSGI services to restart  # noqa no-handler
   # [no-handler] Tasks that run when changed should likely be handlers
   #   This specific task is used in order to work around inability of Ansible
   #   to provide properly parametrised handlers for reusable roles.
   ansible.builtin.set_fact:
     wsgi_services_to_restart: "{{ wsgi_services_to_restart + [fqdn] }}"
   when: |
     fqdn not in wsgi_services_to_restart and
     ((install_extra_packages is defined and install_extra_packages.changed) or
     (install_additional_packages_in_virtualenv is defined and install_additional_packages_in_virtualenv.changed) or
     (deploy_systemd_socket_configuration is defined and deploy_systemd_socket_configuration.changed) or
     (deploy_systemd_service_configuration is defined and deploy_systemd_service_configuration.changed) or
     (install_gunicorn_via_requirements is defined and install_gunicorn_via_requirements.changed) or
     (run_handlers | default(False) | bool()))
   tags:
     - handlers
 - name: Explicitly run all handlers
   ansible.builtin.include_tasks: ../handlers/main.yml
   when: "run_handlers | default(False) | bool()"
   tags:
     - handlers

roles/xmpp_server/molecule/default/prepare.yml

➞

Show inline comments

 ---
 - name: Prepare, test fixtures
   hosts: localhost
   connection: local
   gather_facts: false
   tasks:
     - name: Initialise CA hierarchy
       ansible.builtin.command: "gimmecert init"
       args:
         creates: ".gimmecert/ca/level1.cert.pem"
         chdir: "tests/data/"
     - name: Generate server private keys and certificates
       ansible.builtin.command:
       args:
         chdir: "tests/data/"
         creates: ".gimmecert/server/{{ item.name }}.cert.pem"
         argv: "{{ ['gimmecert', 'server', item.name] + item.fqdn }}"
       with_items:
         - name: ldap-server_ldap
           fqdn:
             - ldap-server
         - name: parameters-mandatory-bookworm_xmpp
           fqdn:
             - parameters-mandatory
             - domain1
             - proxy.domain1
             - conference.domain1
         - name: parameters-optional-bookworm_xmpp
           fqdn:
             - parameters-optional
             - domain2
             - proxy.domain2
             - conference.domain2
             - domain3
             - proxy.domain3
             - conference.domain3
     - name: Set-up link to generated X.509 material
       ansible.builtin.file:
         src: ".gimmecert"
         dest: "tests/data/x509"
         state: link
 - name: Prepare
   hosts: all
   become: true
   gather_facts: false
   tasks:
     - name: Install python for Ansible
       ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
       become: true
       changed_when: false
     - name: Update all caches to avoid errors due to missing remote archives
       ansible.builtin.apt:
         update_cache: true
       changed_when: false
     - name: Install tools for testing
       ansible.builtin.apt:
         name:
           - gnutls-bin
           - nmap
         state: present
     - name: Use name provided via CLI when running STARTTLS handshake for XMPP via nmap
       ansible.builtin.replace:
         path: "/usr/share/nmap/nselib/sslcert.lua"
         regexp: "host\\.name\\)"
         replace: "host.targetname)"
 - name: Prepare, test fixtures
   hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       ansible.builtin.blockinfile:
         path: "/etc/ssl/openssl.cnf"
         block: |
           [openssl_init]
           ssl_conf = ssl_sect
           [ssl_sect]
           system_default = system_default_sect
           [system_default_sect]
           MinProtocol = TLSv1.1
           CipherString = DEFAULT@SECLEVEL=0
         owner: root
         group: root
         mode: "0644"
         state: present
     - name: Set-up the hosts file
       ansible.builtin.lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: "0644"
         state: present
       with_dict:
 .168.56.11: "ldap-server backup-server"
 .168.56.21: "client-bookworm"
 .168.56.31: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
 .168.56.32: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
 - name: Prepare, helpers
   hosts: clients
   become: true
   tasks:
     - name: Install tool for testing TCP connectivity
       ansible.builtin.apt:
         name: hping3
         state: present
     - name: Deploy CA certificate
       ansible.builtin.copy:
         src: tests/data/x509/ca/level1.cert.pem
         dest: /usr/local/share/ca-certificates/testca.crt
         owner: root
         group: root
         mode: "0644"
       notify:
         - Update CA certificate cache
     - name: Install console-based XMPP client (for interactive testing)
       ansible.builtin.apt:
         name: mcabber
         state: present
     - name: Install console-based XMPP tool (for non-interactive testing)
       ansible.builtin.apt:
         name: go-sendxmpp
         state: present
     - name: Create dedicated group for testing
       ansible.builtin.group:
         name: user
         state: present
     - name: Create dedicated user for testing
       ansible.builtin.user:
         name: user
         group: user
-        ansible.builtin.shell: /bin/bash
         shell: /bin/bash
     - name: Deploy mcabber configuration files
       ansible.builtin.template:
         src: tests/data/mcabber.cfg.j2
         dest: "~user/{{ item.jid }}.cfg"
         owner: user
         group: user
         mode: "0600"
       with_items:
         - jid: john.doe@domain1
           password: johnpassword
           server: domain1
           security: tls
           nickname: john.doe
         - jid: jane.doe@domain2
           password: janepassword
           server: domain2
           security: ssl
           nickname: jane.doe
         - jid: mick.doe@domain3
           password: mickpassword
           server: domain3
           security: tls
           nickname: mick.doe
         - jid: noxmpp@domain1
           password: noxmpppassword
           server: domain1
           security: tls
           nickname: noxmpp
   handlers:
     - name: Update CA certificate cache  # noqa no-changed-when
       ansible.builtin.command: /usr/sbin/update-ca-certificates --fresh
       # [no-changed-when] Commands should not change things if nothing needs doing
       #   Does not matter in test prepare stage.
 - name: Prepare, helpers
   hosts: ldap-server
   become: true
   roles:
     - ldap_server
     - backup_server
 - name: Prepare, test fixtures
   hosts: ldap-server
   become: true
   tasks:
     - name: Create LDAP accounts for testing
       community.general.ldap_entry:
         dn: "{{ item.dn }}"
         objectClass: "{{ item.objectClass }}"
         attributes: "{{ item.attributes }}"
       with_items:
         - dn: uid=john,ou=people,dc=local
           objectClass:
             - inetOrgPerson
             - simpleSecurityObject
           attributes:
             userPassword: johnpassword
             uid: john
             cn: John Doe
             sn: Doe
             mail: john.doe@domain1
         - dn: uid=jane,ou=people,dc=local
           objectClass:
             - inetOrgPerson
             - simpleSecurityObject
           attributes:
             userPassword: janepassword
             uid: jane
             cn: Jane Doe
             sn: Doe
             mail: jane.doe@domain2
         - dn: uid=mick,ou=people,dc=local
           objectClass:
             - inetOrgPerson
             - simpleSecurityObject
           attributes:
             userPassword: mickpassword
             uid: mick
             cn: Mick Doe
             sn: Doe
             mail: mick.doe@domain3
         - dn: uid=noxmpp,ou=people,dc=local
           objectClass:
             - inetOrgPerson
             - simpleSecurityObject
           attributes:
             userPassword: noxmpppassword
             uid: noxmpp
             cn: No XMPP
             sn: XMPP
             mail: noxmpp@domain1
     - name: Add test accounts to correct group
       community.general.ldap_attrs:
         dn: "cn=xmpp,ou=groups,dc=local"
         attributes:
           uniqueMember:
             - uid=john,ou=people,dc=local
             - uid=jane,ou=people,dc=local
             - uid=mick,ou=people,dc=local
             - uid=eve,ou=people,dc=local
         state: exact
 - name: Prepare, test fixtures
   hosts: parameters-mandatory,parameters-optional
   become: true
   tasks:
     - name: Install console-based XMPP tool (for non-interactive testing)
       ansible.builtin.apt:
         name: "{{ sendxmpp_package }}"
         state: present
       vars:
         sendxmpp_package: "go-sendxmpp"
     - name: Deploy small Lua script for listing the enabled modules in Prosody
       ansible.builtin.copy:
         src: list_prosody_modules.lua
         dest: "/usr/local/bin/list_prosody_modules.lua"
         owner: root
         group: root
         mode: "0755"

0 comments (0 inline, 0 general)