majic-ansible-roles Changeset

Changeset - 922cda0a1834

Parent rev.

Child rev.

[Not reviewed]

0 16 0

Branko Majic (branko) - 8 years ago 2016-06-09 15:19:33
branko@majic.rs

MAR-58: Updated roles, LDAP modules, and test site to be compatible with Ansible 2.0.x and 2.1.x. Switched from using sudo/sudo_user to become/become_user. Fixed referencing of variables within roles, mainly for with_items/with_dicts calls. Improved handling of options in ldap_entry module to avoid deprecation of passing dict-like arguments to ldap_entry module. Minor fix to ldap_permissions module.

16 files changed with 127 insertions and 93 deletions:

roles/backup_server/tasks/main.yml

roles/common/tasks/main.yml

roles/ldap_server/library/ldap_entry.py

roles/ldap_server/library/ldap_permissions.py

roles/ldap_server/tasks/main.yml

roles/mail_forwarder/tasks/main.yml

roles/mail_server/tasks/main.yml

roles/php_website/tasks/main.yml

roles/preseed/tasks/main.yml

roles/wsgi_website/tasks/main.yml

testsite/group_vars/ldap.yml

testsite/playbooks/backup.yml

testsite/playbooks/ldap.yml

testsite/playbooks/mail.yml

testsite/playbooks/web.yml

testsite/playbooks/xmpp.yml

0 comments (0 inline, 0 general)

roles/backup_server/tasks/main.yml

➞

Show inline comments

@@ @@ -13,7 +13,7 @@ @@
 - name: Create backup client groups
   group: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
          gid="{{ item.uid | default(omit) }}" system="yes"
   with_items: backup_clients
+  with_items: "{{ backup_clients }}"
 - name: Create backup client users
   user: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
@@ @@ -21,35 +21,35 @@ @@
         groups="backup"
         uid="{{ item.uid | default(omit) }}"
         system=yes createhome=no state=present home="/srv/backups/{{ item.server }}"
   with_items: backup_clients
+  with_items: "{{ backup_clients }}"
 - name: Create home directories for backup client users
   file: path="/srv/backups/{{ item.server }}" state=directory
         owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode=750
   with_items: backup_clients
+  with_items: "{{ backup_clients }}"
 - name: Create duplicity directories for backup client users
   file: path="/srv/backups/{{ item.server }}/duplicity" state=directory
         owner="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         mode=770
   with_items: backup_clients
+  with_items: "{{ backup_clients }}"
 - name: Create SSH directory for backup client users
   file: path="/srv/backups/{{ item.server }}/.ssh" state=directory
         owner="root" group="root" mode=751
   with_items: backup_clients
+  with_items: "{{ backup_clients }}"
 - name: Populate authorized keys for backup client users
   authorized_key: user="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
                   key="{{ item.public_key }}" manage_dir="no" state="present"
   with_items: backup_clients
+  with_items: "{{ backup_clients }}"
 - name: Set-up authorized_keys file permissions for backup client users
   file: path="/srv/backups/{{ item.server }}/.ssh/authorized_keys" state=file
         owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         mode=640
   with_items: backup_clients
+  with_items: "{{ backup_clients }}"
 - name: Deny the backup group login via regular SSH
   lineinfile: dest="/etc/ssh/sshd_config" state=present line="DenyGroups backup"
@@ @@ -75,7 +75,7 @@ @@
 - name: Deploy the private keys for backup OpenSSH server instance
   copy: content="{{ item.value }}" dest="/etc/ssh-backup/ssh_host_{{ item.key }}_key"
         owner="root" group="root" mode="600"
   with_dict: backup_host_ssh_private_keys
+  with_dict: "{{ backup_host_ssh_private_keys }}"
   no_log: True
   notify:
     - Restart backup SSH server

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -41,21 +41,21 @@ @@
 - name: Install common packages
   apt: name="{{ item }}" state="present"
   with_items: common_packages
+  with_items: "{{ common_packages }}"
 - name: Set-up operating system groups
   group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}" state=present
   with_items: os_groups
+  with_items: "{{ os_groups }}"
 - name: Set-up operating system user groups
   group: name="{{ item.name }}" gid="{{ item.uid | default(omit) }}" state=present
   with_items: os_users
+  with_items: "{{ os_users }}"
 - name: Set-up operating system users
   user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"
         groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present
         password="{{ item.password | default('!') }}" update_password=on_create
   with_items: os_users
+  with_items: "{{ os_users }}"
 - name: Set-up authorised keys
   authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
@@ @@ -75,7 +75,7 @@ @@
 - name: Deploy CA certificates
   copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=644 owner=root group=root
   with_dict: ca_certificates
+  with_dict: "{{ ca_certificates }}"
   notify:
     - Update CA certificate cache

roles/ldap_server/library/ldap_entry.py

➞

Show inline comments

@@ @@ -46,9 +46,15 @@ options: @@
     required: false
     default: ""
-  ATTRIBUTES:
+  attributes:
     description:
       - All remaining attributes are considered to be attributes for an LDAP
       - Dictionary defining attributes used for the LDAP entry. This is an
         alternative way to provide entry attributes, and can be used alone or in
         conjunction with method described for "UNLISTED_OPTIONS" (see below).
   OTHER_OPTIONS:
     description:
       - All remaining options are considered to be attributes for an LDAP
         entry. LDAP schema constraints should be kept in mind (i.e. one
         structural objectClass etc). Attributes can be passed in as a simple
         string (for one value of an attribute), for storing multiple values for
@@ @@ -104,6 +110,7 @@ ldap_entry: @@
   uid: ""
 """
 from ansible.module_utils.basic import *
 # Try to load the Python LDAP module.
 try:
@@ @@ -335,7 +342,8 @@ def main(): @@
             state=dict(required=False, choices=["present", "absent", "append", "replace"], default="present"),
             server_uri=dict(required=False, default="ldapi:///"),
             bind_dn=dict(required=False, default=None),
             bind_password=dict(required=False)
             bind_password=dict(required=False),
             attributes=dict(required=False, type='dict', default=None),
             ),
         check_invalid_arguments=False
+        )
@@ @@ -343,18 +351,32 @@ def main(): @@
     if not ldap_found:
         module.fail_json(msg="The Python LDAP module is required")
     # Extract the attributes.
     # Extract the attributes. If a single value is provided for an attribute, it
     # must be convereted into one-element list. All items must be converted into
     # UTF-8 strings otherwise.
     attributes = {}
     def repack_value(value):
         """
         Small helper to repack a single value into list of UTF-8-encoded
         strings.
         """
         if isinstance(value, list):
             value = [ str(i).encode("utf-8") for i in value ]
         else:
             value = [ str(value).encode("utf-8") ]
         return value
     if module.params["attributes"]:
         for name, value in module.params["attributes"].iteritems():
             attributes[name] = repack_value(value)
     for name, value in module.params.iteritems():
         if name not in module.argument_spec:
             if value == "":
                 pass
             elif isinstance(value, basestring):
                 value = [ value.encode("utf-8") ]
             elif isinstance(value, list):
                 value = [ i.encode("utf-8") for i in value ]
             attributes[name] = value
             attributes.setdefault(name, []).extend(repack_value(value))
             attributes[name] = list(set(attributes[name]))
     try:
         connection = get_ldap_connection(module.params["server_uri"],
                                          module.params["bind_dn"],

roles/ldap_server/library/ldap_permissions.py

➞

Show inline comments

@@ @@ -106,6 +106,8 @@ ldap_permissions: @@
     bind_password: somepassword
 """
 from ansible.module_utils.basic import *
 # Try to load the Python LDAP module.
 try:
     import ldap
@@ @@ -262,7 +264,7 @@ def main(): @@
     module = AnsibleModule(
         argument_spec=dict(
             filter=dict(required=True),
             rules=dict(required=True),
+            rules=dict(required=True, type='list'),
             server_uri=dict(required=False, default="ldapi:///"),
             bind_dn=dict(required=False, default=None),
             bind_password=dict(required=False)

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -134,7 +134,7 @@ @@
     cn: "{{ item.name }}"
     userPassword: "{{ item.password }}"
     state: "{{ item.state | default('present') }}"
   with_items: ldap_server_consumers
+  with_items: "{{ ldap_server_consumers }}"
 - name: Create or remove user-supplied groups
   ldap_entry: ""
@@ @@ -144,12 +144,15 @@ @@
     cn: "{{ item.name }}"
     uniqueMember: "cn=NONE"
     state: "{{ item.state | default('append') }}"
   with_items: ldap_server_groups
+  with_items: "{{ ldap_server_groups }}"
 - name: Create user-supplied LDAP entries
   ldap_entry: ""
   args: "{{ item }}"
   with_items: ldap_entries
   args:
     dn: "{{ item.dn }}"
     state: "{{ item.state | default(omit)}}"
     attributes: "{{ item.attributes }}"
   with_items: "{{ ldap_entries }}"
 - name: Deploy firewall configuration for LDAP
   copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=640

roles/mail_forwarder/tasks/main.yml

➞

Show inline comments

@@ @@ -21,7 +21,7 @@ @@
     line: "{{ item.key }}: {{ item.value }}"
     regexp: "^{{ item.key }}"
     state: present
   with_dict: local_mail_aliases
+  with_dict: "{{ local_mail_aliases }}"
   notify:
     - Rebuild mail aliases

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -147,7 +147,7 @@ @@
 - name: Wait for ClamAV database to be available (up to 10 minutes)
   wait_for: path="{{ item.item | replace('.cld', '.cvd') }}" timeout=600
   with_items: clamav_db_files.results
+  with_items: "{{ clamav_db_files.results }}"
   when: not item.stat.exists
 - name: Enable ClamAV daemon and milter services

roles/php_website/tasks/main.yml

➞

Show inline comments

@@ @@ -26,7 +26,7 @@ @@
 - name: Install extra packages for website
   apt: name="{{ item }}" state=installed
   with_items: packages
+  with_items: "{{ packages }}"
 - name: Deploy PHP FPM configuration file for website
   template: src="fpm_site.conf.j2" dest="/etc/php5/fpm/pool.d/{{ fqdn }}.conf" validate="php5-fpm -t -y %s"

roles/preseed/tasks/main.yml

➞

Show inline comments

@@ @@ -6,7 +6,7 @@ @@
 - name: Create preseed configuration file
   template: src="preseed-jessie.cfg.j2" dest="{{ preseed_directory }}/{{ item }}.cfg"
             mode=640
   with_items: groups['all']
+  with_items: "{{ groups['all'] }}"
   when: item != "localhost"
 - name: Explicitly run all handlers

roles/wsgi_website/tasks/main.yml

➞

Show inline comments

@@ @@ -25,14 +25,14 @@ @@
 - name: Install extra packages for website
   apt: name="{{ item }}" state=present
   with_items: packages
+  with_items: "{{ packages }}"
 - name: Create directory for storing the Python virtual environment
   file: path="{{ home }}/virtualenv" state=directory
         owner="{{ admin }}" group="{{ user }}" mode="2750"
 - name: Create Python virtual environment
-  sudo_user: "{{ admin }}"
+  become_user: "{{ admin }}"
   command: /usr/bin/virtualenv --prompt "({{ fqdn }})" "{{ home }}/virtualenv" creates="{{ home }}/virtualenv/bin/activate"
 - name: Configure project directory for the Python virtual environment
@@ @@ -40,11 +40,11 @@ @@
             owner="{{ admin }}" group="{{ user }}" mode="640"
 - name: Create directory where virtualenvs will be symlinked to
-  sudo_user: "{{ admin }}"
+  become_user: "{{ admin }}"
   file: path="~/.virtualenvs" state=directory mode=750
 - name: Create convenience symlink for Python virtual environment wrapper utility
-  sudo_user: "{{ admin }}"
+  become_user: "{{ admin }}"
   file: src="{{ home }}/virtualenv" dest="~/.virtualenvs/{{ fqdn }}" state=link
 - name: Deploy virtualenv wrapper
@@ @@ -52,17 +52,17 @@ @@
             owner="{{ admin }}" group="{{ user }}" mode="750"
 - name: Install futures package for use with Gunicorn thread workers
-  sudo_user: "{{ admin }}"
+  become_user: "{{ admin }}"
   pip: name=futures version="{{ futures_version }}" state=present virtualenv="{{ home }}/virtualenv"
 - name: Install Gunicorn in Python virtual environment
-  sudo_user: "{{ admin }}"
+  become_user: "{{ admin }}"
   pip: name=gunicorn version="{{ gunicorn_version }}" state=present virtualenv="{{ home }}/virtualenv"
 - name: Install additional packages in Python virtual environment
-  sudo_user: "{{ admin }}"
+  become_user: "{{ admin }}"
   pip: name="{{ item }}" state=present virtualenv="{{ home }}/virtualenv"
   with_items: virtualenv_packages
+  with_items: "{{ virtualenv_packages }}"
 - name: Deploy systemd socket configuration for website
   template: src="systemd_wsgi_website.socket.j2" dest="/etc/systemd/system/{{ fqdn }}.socket"

testsite/group_vars/ldap.yml

➞

Show inline comments

 ldap_server_ssf: 128
 ldap_permissions:
   - >
     to *
     by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
     by dn="cn=admin,{{ testsite_ldap_base }}" manage
     by * break
   - >
     to attrs=userPassword,shadowLastChange
     by self write
     by anonymous auth
     by * none
   - >
     to dn.base=""
     by * read
   - >
     to *
     by self write
     by dn="cn=admin,{{ testsite_ldap_base }}" write
     by users read
     by * none
   - >-
       to *
       by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
       by dn="cn=admin,{{ testsite_ldap_base }}" manage
       by * break
   - >-
       to attrs=userPassword,shadowLastChange
       by self write
       by anonymous auth
       by * none
   - >-
       to dn.base=""
       by * read
   - >-
       to *
       by self write
       by dn="cn=admin,{{ testsite_ldap_base }}" write
       by users read
       by * none
 ldap_entries:
   - dn: uid=johndoe,ou=people,{{ testsite_ldap_base }}
     objectClass:
       - inetOrgPerson
     uid: johndoe
     cn: John Doe
     sn: Doe
     userPassword: johndoe
     mail: john.doe@{{ testsite_domain }}
     attributes:
       objectClass:
         - inetOrgPerson
       uid: johndoe
       cn: John Doe
       sn: Doe
       userPassword: johndoe
       mail: john.doe@{{ testsite_domain }}
   - dn: uid=janedoe,ou=people,{{ testsite_ldap_base }}
     objectClass:
       - inetOrgPerson
     uid: janedoe
     cn: Jane Doe
     sn: Doe
     userPassword: janedoe
     mail: jane.doe@{{ testsite_domain }}
     attributes:
       objectClass:
         - inetOrgPerson
       uid: janedoe
       cn: Jane Doe
       sn: Doe
       userPassword: janedoe
       mail: jane.doe@{{ testsite_domain }}
   - dn: "cn=mail,ou=groups,{{ testsite_ldap_base }}"
     uniqueMember:
       - uid=johndoe,ou=people,{{ testsite_ldap_base }}
       - uid=janedoe,ou=people,{{ testsite_ldap_base }}
     state: append
     attributes:
       uniqueMember:
         - uid=johndoe,ou=people,{{ testsite_ldap_base }}
         - uid=janedoe,ou=people,{{ testsite_ldap_base }}
   - dn: "cn=xmpp,ou=groups,{{ testsite_ldap_base }}"
     uniqueMember:
       - uid=johndoe,ou=people,{{ testsite_ldap_base }}
       - uid=janedoe,ou=people,{{ testsite_ldap_base }}
     state: append
     attributes:
       uniqueMember:
         - uid=johndoe,ou=people,{{ testsite_ldap_base }}
         - uid=janedoe,ou=people,{{ testsite_ldap_base }}
   - dn: dc={{ testsite_domain }},ou=domains,ou=mail,ou=services,{{ testsite_ldap_base }}
     objectClass: dNSDomain
     dc: "{{ testsite_domain }}"
     attributes:
       objectClass: dNSDomain
       dc: "{{ testsite_domain }}"
   - dn: dc={{ testsite_domain_alternative }},ou=domains,ou=mail,ou=services,{{ testsite_ldap_base }}
     objectClass: dNSDomain
     dc: "{{ testsite_domain_alternative }}"
     attributes:
       objectClass: dNSDomain
       dc: "{{ testsite_domain_alternative }}"
   - dn: cn=postmaster@{{ testsite_domain }},ou=aliases,ou=mail,ou=services,{{ testsite_ldap_base }}
     objectClass: nisMailAlias
     cn: postmaster@{{ testsite_domain }}
     rfc822MailMember: john.doe@{{ testsite_domain }}
     attributes:
       objectClass: nisMailAlias
       cn: postmaster@{{ testsite_domain }}
       rfc822MailMember: john.doe@{{ testsite_domain }}

testsite/playbooks/backup.yml

➞

Show inline comments

@@ @@ -2,7 +2,7 @@ @@
 - hosts: backup
   remote_user: ansible
-  sudo: yes
+  become: yes
   roles:
     - common
     - mail_forwarder

testsite/playbooks/ldap.yml

➞

Show inline comments

@@ @@ -2,7 +2,7 @@ @@
 - hosts: ldap
   remote_user: ansible
-  sudo: yes
+  become: yes
   roles:
     - common
     - mail_forwarder

testsite/playbooks/mail.yml

➞

Show inline comments

@@ @@ -2,7 +2,7 @@ @@
 - hosts: mail
   remote_user: ansible
-  sudo: yes
+  become: yes
   roles:
     - common
     - ldap_client

testsite/playbooks/web.yml

➞

Show inline comments

@@ @@ -2,7 +2,7 @@ @@
 - hosts: web
   remote_user: ansible
-  sudo: yes
+  become: yes
   roles:
     - common
     - ldap_client

testsite/playbooks/xmpp.yml

➞

Show inline comments

@@ @@ -2,7 +2,7 @@ @@
 - hosts: xmpp
   remote_user: ansible
-  sudo: yes
+  become: yes
   roles:
     - common
     - ldap_client

0 comments (0 inline, 0 general)