majic-ansible-roles Changeset

Changeset - 0be45939fc2a

Parent rev.

Child rev.

[Not reviewed]

0 4 0

Branko Majic (branko) - 15 months ago 2024-09-03 15:42:49
branko@majic.rs

MAR-218: Fix erroneous replacement of shell attribute (from FQCN fixes).

4 files changed with 6 insertions and 6 deletions:

roles/common/tasks/main.yml

roles/php_website/tasks/main.yml

roles/wsgi_website/tasks/main.yml

roles/xmpp_server/molecule/default/prepare.yml

0 comments (0 inline, 0 general)

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -118,97 +118,97 @@ @@
   when: |
     root_bashrc_stat.stat.checksum == "1a422a148ad225aa5ba33f8dafd2b7cfcdbd701f"
 - name: Install sudo
   ansible.builtin.apt:
     name: sudo
     state: present
 - name: Install ssl-cert package
   ansible.builtin.apt:
     name: ssl-cert
     state: present
 - name: Install common packages
   ansible.builtin.apt:
     name: "{{ common_packages }}"
     state: "present"
 - name: Disable electric-indent-mode for Emacs by default for all users
   ansible.builtin.copy:
     src: "01disable-electric-indent-mode.el"
     dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el"
     owner: root
     group: root
     mode: "0644"
   when: "['emacs24', 'emacs24-nox', 'emacs25', 'emacs25-nox', 'emacs', 'emacs-nox'] | intersect(common_packages) | length > 0"
 - name: Set-up operating system groups
   ansible.builtin.group:
     name: "{{ item.name }}"
     gid: "{{ item.gid | default(omit) }}"
     state: present
   with_items: "{{ os_groups }}"
 - name: Set-up operating system user groups
   ansible.builtin.group:
     name: "{{ item.name }}"
     gid: "{{ item.uid | default(omit) }}"
     state: present
   with_items: "{{ os_users }}"
 - name: Set-up operating system users
   ansible.builtin.user:
     name: "{{ item.name }}"
     uid: "{{ item.uid | default(omit) }}"
     group: "{{ item.name }}"
     groups: "{{ ','.join(item.additional_groups | default([])) }}"
     append: true
-    ansible.builtin.shell: /bin/bash
     shell: /bin/bash
     state: present
     password: "{{ item.password | default('!') }}"
     update_password: on_create
   with_items: "{{ os_users }}"
 - name: Set-up authorised keys
   ansible.posix.authorized_key:
     user: "{{ item.0.name }}"
     key: "{{ item.1 }}"
   with_subelements:
     - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
     - authorized_keys
 - name: Disable remote logins for root
   ansible.builtin.lineinfile:
     dest: "/etc/ssh/sshd_config"
     state: present
     regexp: "^PermitRootLogin"
     line: "PermitRootLogin no"
   notify:
     - Restart SSH
 - name: Disable remote login authentication via password
   ansible.builtin.lineinfile:
     dest: "/etc/ssh/sshd_config"
     state: present
     regexp: "^PasswordAuthentication"
     line: "PasswordAuthentication no"
   notify:
     - Restart SSH
 - name: Deploy CA certificates
   ansible.builtin.copy:
     content: "{{ item.value }}"
     dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt"
     owner: root
     group: root
     mode: "0644"
   with_dict: "{{ ca_certificates }}"
   register: deploy_ca_certificates_result
 - name: Update CA certificate cache  # noqa no-handler
   # [no-handler] Tasks that run when changed should likely be handlers
   #   CA certificate cache must be updated immediatelly in order for
   #   applications depending on deployed CA certificates can use them to
   #   validate server/client certificates.
   ansible.builtin.command: "/usr/sbin/update-ca-certificates --fresh"
   when: deploy_ca_certificates_result.changed

roles/php_website/tasks/main.yml

➞

Show inline comments

 ---
 - name: Create PHP website group
   ansible.builtin.group:
     name: "{{ user }}"
     gid: "{{ uid | default(omit) }}"
     state: present
 - name: Create PHP website admin user
   ansible.builtin.user:
     name: "{{ admin }}"
     uid: "{{ admin_uid | default(omit) }}"
     group: "{{ user }}"
-    ansible.builtin.shell: /bin/bash
     shell: /bin/bash
     createhome: true
     home: "{{ home }}"
     state: present
 - name: Set-up directory for storing user profile configuration files
   ansible.builtin.file:
     path: "{{ home }}/.profile.d"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: "0750"
 - name: Create PHP website user
   ansible.builtin.user:
     name: "{{ user }}"
     uid: "{{ uid | default(omit) }}"
     group: "{{ user }}"
     comment: "umask=0007"
     system: true
     createhome: false
     state: present
     home: "{{ home }}"
     # This is a workaround for a rather stupid bug that Debian seems
     # uninterested to backport -
     # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
-    ansible.builtin.shell: /bin/sh
     shell: /bin/sh
 - name: Add nginx user to website group
   ansible.builtin.user:
     name: "www-data"
     groups: "{{ user }}"
     append: "yes"
   notify:
     - Restart nginx
 # Ownership set to root so Postfix would not check if correct user owns the
 # file.
 - name: Set-up forwarding for mails delivered to local application user/admin
   ansible.builtin.template:
     src: "forward.j2"
     dest: "{{ home }}/.forward"
     owner: root
     group: "{{ user }}"
     mode: "0640"
 - name: Install extra packages for website
   ansible.builtin.apt:
     name: "{{ packages }}"
     state: present
 - name: Deploy PHP FPM configuration file for website
   ansible.builtin.template:
     src: "fpm_site.conf.j2"
     dest: "{{ php_fpm_pool_directory }}/{{ fqdn }}.conf"
     validate: "{{ php_fpm_binary }} -t -y %s"
     owner: root
     group: root
     mode: "0640"
   notify:
     - Restart PHP-FPM
 - name: Deploy nginx TLS private key for website
   ansible.builtin.copy:
     dest: "/etc/ssl/private/{{ fqdn }}_https.key"
     content: "{{ https_tls_key }}"
     owner: root
     group: root
     mode: "0640"
   notify:
     - Restart nginx
 - name: Deploy nginx TLS certificate for website
   ansible.builtin.copy:
     dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"

roles/wsgi_website/tasks/main.yml

➞

Show inline comments

 ---
 - name: Create WSGI website group
   ansible.builtin.group:
     name: "{{ user }}"
     gid: "{{ uid | default(omit) }}"
     state: present
 - name: Create WSGI website admin user
   ansible.builtin.user:
     name: "{{ admin }}"
     uid: "{{ admin_uid | default(omit) }}"
     group: "{{ user }}"
-    ansible.builtin.shell: /bin/bash
     shell: /bin/bash
     createhome: true
     home: "{{ home }}"
     state: present
 - name: Set-up directory for storing user profile configuration files
   ansible.builtin.file:
     path: "{{ home }}/.profile.d"
     state: directory
     owner: "{{ admin }}"
     group: "{{ user }}"
     mode: "0750"
 - name: Deploy profile configuration file for auto-activating the virtual environment
   ansible.builtin.copy:
     src: "profile_virtualenv.sh"
     dest: "{{ home }}/.profile.d/virtualenv.sh"
     owner: root
     group: "{{ user }}"
     mode: "0640"
 - name: Deploy profile configuration file for setting environment variables
   ansible.builtin.template:
     src: "environment.sh.j2"
     dest: "{{ home }}/.profile.d/environment.sh"
     owner: root
     group: "{{ user }}"
     mode: "0640"
 - name: Create WSGI website user
   ansible.builtin.user:
     name: "{{ user }}"
     uid: "{{ uid | default(omit) }}"
     group: "{{ user }}"
     comment: "umask=0007"
     system: true
     createhome: false
     state: present
     home: "{{ home }}"
     # This is a workaround for a rather stupid bug that Debian seems
     # uninterested to backport -
     # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
-    ansible.builtin.shell: /bin/sh
     shell: /bin/sh
 - name: Add nginx user to website group
   ansible.builtin.user:
     name: www-data
     groups: "{{ user }}"
     append: true
   notify:
     - Restart nginx
 # Ownership set to root so Postfix would not check if correct user owns the
 # file.
 - name: Set-up forwarding for mails delivered to local application user/admin
   ansible.builtin.template:
     src: "forward.j2"
     dest: "{{ home }}/.forward"
     owner: root
     group: "{{ user }}"
     mode: "0640"
 - name: Install extra packages for website
   ansible.builtin.apt:
     name: "{{ packages }}"
     state: present
   register: install_extra_packages
   notify:
     - Restart WSGI services
 - name: Retrieve requested Python interpreter version
   ansible.builtin.command:
     argv:
       - "{{ python_interpreter }}"
       - "-c"
       - "import sys; print(sys.version.split(' ')[0])"
   changed_when: false
   register: python_interpreter_version
 - name: Retrieve virtual environment Python interpreter version (if initialised)
   ansible.builtin.command:
     argv:
       - "{{ home }}/virtualenv/bin/python"
       - "-c"
       - "import sys; print(sys.version.split(' ')[0])"
   # Virtual environment perhaps does not exist.
   failed_when: false
   changed_when: false
   register: virtualenv_python_version
 - name: Retrieve virtual environment prompt

roles/xmpp_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -106,97 +106,97 @@ @@
         group: root
         mode: "0644"
         state: present
       with_dict:
 .168.56.11: "ldap-server backup-server"
 .168.56.21: "client-bookworm"
 .168.56.31: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
 .168.56.32: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
 - name: Prepare, helpers
   hosts: clients
   become: true
   tasks:
     - name: Install tool for testing TCP connectivity
       ansible.builtin.apt:
         name: hping3
         state: present
     - name: Deploy CA certificate
       ansible.builtin.copy:
         src: tests/data/x509/ca/level1.cert.pem
         dest: /usr/local/share/ca-certificates/testca.crt
         owner: root
         group: root
         mode: "0644"
       notify:
         - Update CA certificate cache
     - name: Install console-based XMPP client (for interactive testing)
       ansible.builtin.apt:
         name: mcabber
         state: present
     - name: Install console-based XMPP tool (for non-interactive testing)
       ansible.builtin.apt:
         name: go-sendxmpp
         state: present
     - name: Create dedicated group for testing
       ansible.builtin.group:
         name: user
         state: present
     - name: Create dedicated user for testing
       ansible.builtin.user:
         name: user
         group: user
-        ansible.builtin.shell: /bin/bash
         shell: /bin/bash
     - name: Deploy mcabber configuration files
       ansible.builtin.template:
         src: tests/data/mcabber.cfg.j2
         dest: "~user/{{ item.jid }}.cfg"
         owner: user
         group: user
         mode: "0600"
       with_items:
         - jid: john.doe@domain1
           password: johnpassword
           server: domain1
           security: tls
           nickname: john.doe
         - jid: jane.doe@domain2
           password: janepassword
           server: domain2
           security: ssl
           nickname: jane.doe
         - jid: mick.doe@domain3
           password: mickpassword
           server: domain3
           security: tls
           nickname: mick.doe
         - jid: noxmpp@domain1
           password: noxmpppassword
           server: domain1
           security: tls
           nickname: noxmpp
   handlers:
     - name: Update CA certificate cache  # noqa no-changed-when
       ansible.builtin.command: /usr/sbin/update-ca-certificates --fresh
       # [no-changed-when] Commands should not change things if nothing needs doing
       #   Does not matter in test prepare stage.
 - name: Prepare, helpers
   hosts: ldap-server
   become: true
   roles:
     - ldap_server
     - backup_server
 - name: Prepare, test fixtures
   hosts: ldap-server
   become: true
   tasks:

0 comments (0 inline, 0 general)