majic-ansible-roles Changeset

Changeset - 2d0a09dc0e00

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Branko Majic (branko) - 7 years ago 2017-08-08 14:27:40
branko@majic.rs

MAR-114: Updated task syntax for the common role:

- Added quoting where it makes sense.
- Switched to using expanded syntax (instead of one-liners).
- Updated ordering of arguments in task definitions.

2 files changed with 246 insertions and 77 deletions:

roles/common/handlers/main.yml

roles/common/tasks/main.yml

237

0 comments (0 inline, 0 general)

roles/common/handlers/main.yml

➞

Show inline comments

 ---
 - name: Update PAM configuration
   command: /usr/sbin/pam-auth-update --package
+  command: "/usr/sbin/pam-auth-update --package"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to
@@ @@ -10,10 +10,12 @@ @@
     - skip_ansible_lint
 - name: Restart SSH
   service: name=ssh state=restarted
   service:
     name: ssh
     state: restarted
 - name: Update CA certificate cache
   command: /usr/sbin/update-ca-certificates --fresh
+  command: "/usr/sbin/update-ca-certificates --fresh"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to
@@ @@ -22,12 +24,14 @@ @@
     - skip_ansible_lint
 - name: Restart ferm
   service: name=ferm state=restarted
   service:
     name: ferm
     state: restarted
 # @TODO: Replace this with use of systemd module once Ansible is upgraded to
 # version 2.2+.
 - name: Reload systemd
   command: systemctl daemon-reload
+  command: "systemctl daemon-reload"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to

roles/common/tasks/main.yml

➞

Show inline comments

 ---
 - name: Enable use of proxy for retrieving system packages via apt
   template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy"
             owner=root group=root mode=0644
   template:
     src: "apt_proxy.j2"
     dest: "/etc/apt/apt.conf.d/00proxy"
     owner: root
     group: root
     mode: 0644
   when: apt_proxy is defined
 - name: Disable use of proxy for retrieving system packages via apt
   file: path="/etc/apt/apt.conf.d/00proxy" state=absent
   file:
     path: "/etc/apt/apt.conf.d/00proxy"
     state: absent
   when: apt_proxy is undefined
 - name: Deploy pam-auth-update configuration file for enabling pam_umask
   copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=0644 owner=root group=root
   notify: Update PAM configuration
   copy:
     src: "pam_umask"
     dest: "/usr/share/pam-configs/umask"
     owner: root
     group: root
     mode: 0644
   notify:
     - Update PAM configuration
 - name: Set login UMASK
   lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'
   lineinfile:
     dest: "/etc/login.defs"
     state: present
     backrefs: yes
     regexp: '^UMASK(\s+)'
     line: 'UMASK\g<1>027'
 - name: Set home directory mask
   lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'
   lineinfile:
     dest: "/etc/adduser.conf"
     state: present
     backrefs: yes
     regexp: '^DIR_MODE='
     line: 'DIR_MODE=0750'
 - name: Deploy bash profile configuration for fancier prompts
   template: src="bash_prompt.sh.j2" dest="/etc/profile.d/bash_prompt.sh"
             owner=root group=root mode=0644
   template:
     src: "bash_prompt.sh.j2"
     dest: "/etc/profile.d/bash_prompt.sh"
     owner: root
     group: root
     mode: 0644
 - name: Deploy profile configuration that allows for user-specific profile.d files
   copy: src="user_profile_d.sh" dest="/etc/profile.d/z99-user_profile_d.sh"
         owner=root group=root mode=0644
   copy:
     src: "user_profile_d.sh"
     dest: "/etc/profile.d/z99-user_profile_d.sh"
     owner: root
     group: root
     mode: 0644
 - name: Replace default and skeleton bashrc
   copy: src="{{ item.key }}" dest="{{ item.value }}"
         owner=root group=root mode=0644
   copy:
     src: "{{ item.key }}"
     dest: "{{ item.value }}"
     owner: root
     group: root
     mode: 0644
   with_dict:
     skel_bashrc: "/etc/skel/.bashrc"
     bashrc: "/etc/bash.bashrc"
     skel_bashrc: "/etc/skel/.bashrc"
 - name: Calculate stock checksum for bashrc root account
   stat: path="/root/.bashrc"
   stat:
     path: "/root/.bashrc"
   register: root_bashrc_stat
 - name: Replace stock bashrc for root account with skeleton one
   copy: src="skel_bashrc" dest="/root/.bashrc"
         owner=root group=root mode=0640
   copy:
     src: "skel_bashrc"
     dest: "/root/.bashrc"
     owner: root
     group: root
     mode: 0640
   when: root_bashrc_stat.stat.checksum == "b737c392222ddac2271cc8d0d8cc0308d08cf458"
 - name: Install sudo
   apt: name=sudo state=present
   apt:
     name: sudo
     state: present
 - name: Install ssl-cert package
   apt: name=ssl-cert state=present
   apt:
     name: ssl-cert
     state: present
 - name: Install rcconf (workaround for systemctl broken handling of SysV)
   apt: name=rcconf state=present
   apt:
     name: rcconf
     state: present
 - name: Install common packages
   apt: name="{{ item }}" state="present"
   apt:
     name: "{{ item }}"
     state: "present"
   with_items: "{{ common_packages }}"
 - name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996)
   file: src="/usr/bin/mariadb_config" dest="/usr/bin/mysql_config" state=link
   file:
     src: "/usr/bin/mariadb_config"
     dest: "/usr/bin/mysql_config"
     state: link
   when: "'libmariadb-client-lgpl-dev-compat' in common_packages and ansible_distribution_release == 'jessie'"
 - name: Disable electric-indent-mode for Emacs by default for all users
   copy: src="01disable-electric-indent-mode.el" dest="/etc/emacs/site-start.d/01disable-electric-indent-mode.el"
         owner=root group=root mode=0644
   copy:
     src: "01disable-electric-indent-mode.el"
     dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el"
     owner: root
     group: root
     mode: 0644
   when: "'emacs24' in common_packages or 'emacs24-nox' in common_packages"
 - name: Set-up operating system groups
   group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}" state=present
   group:
     name: "{{ item.name }}"
     gid: "{{ item.gid | default(omit) }}"
     state: present
   with_items: "{{ os_groups }}"
 - name: Set-up operating system user groups
   group: name="{{ item.name }}" gid="{{ item.uid | default(omit) }}" state=present
   group:
     name: "{{ item.name }}"
     gid: "{{ item.uid | default(omit) }}"
     state: present
   with_items: "{{ os_users }}"
 - name: Set-up operating system users
   user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"
         groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present
         password="{{ item.password | default('!') }}" update_password=on_create
   user:
     name: "{{ item.name }}"
     uid: "{{ item.uid | default(omit) }}"
     group: "{{ item.name }}"
     groups: "{{ ','.join(item.additional_groups | default([])) }}"
     append: yes
     shell: /bin/bash
     state: present
     password: "{{ item.password | default('!') }}"
     update_password: on_create
   with_items: "{{ os_users }}"
 - name: Set-up authorised keys
   authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
   authorized_key:
     user: "{{ item.0.name }}"
     key: "{{ item.1 }}"
   with_subelements:
     - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
     - authorized_keys
 - name: Disable remote logins for root
   lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"
   lineinfile:
     dest: "/etc/ssh/sshd_config"
     state: present
     regexp: "^PermitRootLogin"
     line: "PermitRootLogin no"
   notify:
     - Restart SSH
 - name: Disable remote login authentication via password
   lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
   lineinfile:
     dest: "/etc/ssh/sshd_config"
     state: present
     regexp: "^PasswordAuthentication"
     line: "PasswordAuthentication no"
   notify:
     - Restart SSH
 - name: Deploy CA certificates
   copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=0644 owner=root group=root
   copy:
     content: "{{ item.value }}"
     dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt"
     owner: root
     group: root
     mode: 0644
   with_dict: "{{ ca_certificates }}"
   register: deploy_ca_certificates_result
 - name: Update CA certificate cache
   command: /usr/sbin/update-ca-certificates --fresh
+  command: "/usr/sbin/update-ca-certificates --fresh"
   when: deploy_ca_certificates_result.changed
   tags:
     # [ANSIBLE0016] Tasks that run when changed should likely be handlers
@@ @@ -111,69 +193,123 @@ @@
     - skip_ansible_lint
 - name: Install ferm (for firewall management)
   apt: name=ferm state=installed
   apt:
     name: ferm
     state: installed
 - name: Configure ferm init script coniguration file
   copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=0644
   copy:
     src: "ferm"
     dest: "/etc/default/ferm"
     owner: root
     group: root
     mode: 0644
   notify:
     - Restart ferm
 - name: Create directory for storing ferm configuration files
   file: dest="/etc/ferm/conf.d/" mode=0750 state=directory owner=root group=root
   file:
     dest: "/etc/ferm/conf.d/"
     state: directory
     owner: root
     group: root
     mode: 0750
 - name: Deploy main ferm configuration file
   copy: src=ferm.conf dest=/etc/ferm/ferm.conf owner=root group=root mode=0640
   copy:
     src: "ferm.conf"
     dest: "/etc/ferm/ferm.conf"
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart ferm
 - name: Deploy ferm base rules
   template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf
             owner=root group=root mode=0640
   template:
     src: "00-base.conf.j2"
     dest: "/etc/ferm/conf.d/00-base.conf"
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart ferm
 - name: Enable ferm service on boot (workaround for systemctl broken handling of SysV)
   command: rcconf -on ferm
+  command: "rcconf -on ferm"
   register: result
   changed_when: result.stderr == ""
 - name: Enable ferm service
   service: name=ferm state=started
   service:
     name: ferm
     state: started
 - name: Deploy script for validating server certificates
   copy: src="check_certificate.sh" dest="/usr/local/bin/check_certificate.sh"
         owner=root group=root mode=0755
   copy:
     src: "check_certificate.sh"
     dest: "/usr/local/bin/check_certificate.sh"
     owner: root
     group: root
     mode: 0755
 - name: Set-up directory for holding configuration for certificate validation script
   file: path="/etc/check_certificate" state="directory"
         owner="root" group="root" mode="0755"
   file:
     path: "/etc/check_certificate"
     state: "directory"
     owner: root
     group: root
     mode: 0755
 - name: Deploy crontab entry for checking certificates
   cron: name="check_certificate" cron_file="check_certificate" hour=0 minute=0 job="/usr/local/bin/check_certificate.sh expiration"
         state=present user=nobody
   cron:
     name: "check_certificate"
     cron_file: "check_certificate"
     hour: 0
     minute: 0
     job: "/usr/local/bin/check_certificate.sh expiration"
     state: present
     user: nobody
 - name: Install apticron (for checking available upgrades)
   apt: name=apticron state=installed
   apt:
     name: apticron
     state: installed
 # Implementation for checking pip requirements files via via pip-tools.
 - name: Install virtualenv for pip requirements checks
   apt: name=virtualenv state=installed
   apt:
     name: virtualenv
     state: installed
 - name: Create dedicated group for user running pip requirements checks
   group: name="pipreqcheck" gid="{{ pipreqcheck_gid | default(omit) }}" state=present
   group:
     name: "pipreqcheck"
     gid: "{{ pipreqcheck_gid | default(omit) }}"
     state: present
 - name: Create user for running pip requirements checks
   user: name="pipreqcheck" uid="{{ pipreqcheck_uid | default(omit) }}" group="pipreqcheck"
         home="/var/lib/pipreqcheck" state=present
   user:
     name: "pipreqcheck"
     uid: "{{ pipreqcheck_uid | default(omit) }}"
     group: "pipreqcheck"
     home: "/var/lib/pipreqcheck"
     state: present
 - name: Create directory for Python virtual environment used for installing/running pip-tools
   file: path="/var/lib/pipreqcheck/virtualenv" state=directory
         owner="pipreqcheck" group="pipreqcheck" mode="0750"
   file:
     path: "/var/lib/pipreqcheck/virtualenv"
     state: directory
     owner: pipreqcheck
     group: pipreqcheck
     mode: 0750
 - name: Create Python virtual environment used for installing/running pip-tools
   command: "/usr/bin/virtualenv --prompt '(pipreqcheck)' '/var/lib/pipreqcheck/virtualenv'"
   args:
      creates: '/var/lib/pipreqcheck/virtualenv/bin/activate'
   become: yes
   become_user: "pipreqcheck"
   command: /usr/bin/virtualenv --prompt "(pipreqcheck)" "/var/lib/pipreqcheck/virtualenv" creates="/var/lib/pipreqcheck/virtualenv/bin/activate"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   Command will not run if the virtualenv has already been created,
@@ @@ -181,47 +317,76 @@ @@
     - skip_ansible_lint
 - name: Create directory for storing pip requirements files
   file: path="/etc/pip_check_requirements_upgrades" state="directory"
         owner="root" group="pipreqcheck" mode=0750
   file:
     path: "/etc/pip_check_requirements_upgrades"
     state: "directory"
     owner: root
     group: pipreqcheck
     mode: 0750
 - name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself
   file: path="/etc/pip_check_requirements_upgrades/pipreqcheck" state="directory"
         owner="root" group="pipreqcheck" mode=0750
   file:
     path: "/etc/pip_check_requirements_upgrades/pipreqcheck"
     state: "directory"
     owner: root
     group: pipreqcheck
     mode: 0750
 - name: Deploy .in file for pip requirements in pip-tools virtual environment
   copy: src="pipreqcheck_requirements.in" dest="/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in"
         owner="root" group="pipreqcheck" mode=0640
   copy:
     src: "pipreqcheck_requirements.in"
     dest: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in"
     owner: root
     group: pipreqcheck
     mode: 0640
 - name: Deploy requirements file for pipreqcheck virtual environment
   template: src="pipreqcheck_requirements.txt.j2" dest="/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
             owner="root" group="pipreqcheck" mode=0640
   template:
     src: "pipreqcheck_requirements.txt.j2"
     dest: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
     owner: root
     group: pipreqcheck
     mode: 0640
 - name: Install latest pip in pip-tools virtual environment
   pip:
     name: "pip>=9.0.0,<10.0.0"
     virtualenv: "~pipreqcheck/virtualenv"
   become: yes
   become_user: "pipreqcheck"
   pip: name="pip>=9.0.0,<10.0.0" virtualenv="~pipreqcheck/virtualenv"
 - name: Install pip-tools if not present
   pip:
     name: pip-tools
     state: present
     virtualenv: "~pipreqcheck/virtualenv"
   become: yes
   become_user: "pipreqcheck"
   pip: name=pip-tools state=present virtualenv="~pipreqcheck/virtualenv"
 - name: Synchronise pip-tools virtual environment via deployed requirements file
   become: yes
   become_user: "pipreqcheck"
   shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
   args:
     executable: /bin/bash
   become: yes
   become_user: "pipreqcheck"
   register: pipreqcheck_pip_sync
   changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'"
 - name: Deploy script for checking available upgrades
   copy: src="pip_check_requirements_upgrades.sh" dest="/usr/local/bin/pip_check_requirements_upgrades.sh"
         owner=root group=root mode=0755
   copy:
     src: "pip_check_requirements_upgrades.sh"
     dest: "/usr/local/bin/pip_check_requirements_upgrades.sh"
     owner: root
     group: root
     mode: 0755
 - name: Deploy crontab entry for checking pip requirements
   copy: src="cron_check_pip_requirements" dest="/etc/cron.d/check_pip_requirements"
         owner="root" group="root" mode=0644
   copy:
     src: "cron_check_pip_requirements"
     dest: "/etc/cron.d/check_pip_requirements"
     owner: root
     group: root
     mode: 0644
 - name: Explicitly run all handlers
   include: ../handlers/main.yml

0 comments (0 inline, 0 general)