Changeset - 9ac50dd4765d
Parent rev.
Child rev.
[Not reviewed]
0 3 0
Branko Majic (branko) - 7 years ago 2017-06-07 16:22:14
branko@majic.rs
MAR-22: Linting fixes for test implementation for role 'common':

- Fixed small error in documentation for additional_groups parameter in the
'common' role.
- Do not perform Ansible lint checks on handlers that run commands.
- Fixed permission mode specification to include leading zero (i.e. mode=0640
instead of mode=640) when deploying directories, files, and templates.
- Do not perform Ansible lint checks for task managing update of CA certificate
cache (it must be done at that point).
- Use become_user in conjunction with become.
- Do not perform Ansible lint checks on command tasks that use the 'creates'
parameter.
- Do not use 'latest' version when installing pip in virtual environment used
for performing pip package upgrade checks.
3 files changed with 57 insertions and 22 deletions:
docs/rolereference.rst
1
1
roles/common/handlers/main.yml
21
1
roles/common/tasks/main.yml
35
20
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -355,7 +355,7 @@ Parameters
 
    will have OS-determined GID.
 

			




	
	
	
		
 
  **additional_groups** (list, optional, ``[]``)

			




	
	
	
		
 
    Comma-separated list of additional groups that a user should belong to.

			




	
	
	
		
 
    List of additional groups that a user should belong to.

			




	
	
	
		
 

			




	
	
	
		
 
  **authorized_keys** (list, optional, ``[]``)

			




	
	
	
		
 
    List of SSH public keys that should be deployed to user's authorized_keys

			




        

    


    
    

    

        

                

                    roles/common/handlers/main.yml
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -2,15 +2,35 @@

			




	
	
	
		
 

			




	
	
	
		
 
- name: Update PAM configuration

			




	
	
	
		
 
  command: /usr/sbin/pam-auth-update --package

			




	
	
	
		
 
  tags:

			




	
	
	
		
 
    # [ANSIBLE0012] Commands should not change things if nothing needs doing

			




	
	
	
		
 
    #   This task is invoked only if user is very specific about requiring to

			




	
	
	
		
 
    #   run the handlers manually as a way to bring the system to consistency

			




	
	
	
		
 
    #   after interrupted runs.

			




	
	
	
		
 
    - skip_ansible_lint

			




	
	
	
		
 

			




	
	
	
		
 
- name: Restart SSH

			




	
	
	
		
 
  service: name=ssh state=restarted

			




	
	
	
		
 

			




	
	
	
		
 
- name: Update CA certificate cache

			




	
	
	
		
 
  command: /usr/sbin/update-ca-certificates --fresh

			




	
	
	
		
 
  tags:

			




	
	
	
		
 
    # [ANSIBLE0012] Commands should not change things if nothing needs doing

			




	
	
	
		
 
    #   This task is invoked only if user is very specific about requiring to

			




	
	
	
		
 
    #   run the handlers manually as a way to bring the system to consistency

			




	
	
	
		
 
    #   after interrupted runs.

			




	
	
	
		
 
    - skip_ansible_lint

			




	
	
	
		
 

			




	
	
	
		
 
- name: Restart ferm

			




	
	
	
		
 
  service: name=ferm state=restarted

			




	
	
	
		
 

			




	
	
	
		
 
# @TODO: Replace this with use of systemd module once Ansible is upgraded to

			




	
	
	
		
 
# version 2.2+.

			




	
	
	
		
 
- name: Reload systemd

			




	
	
	
		
 
  command: systemctl daemon-reload

			




	
	
		
 
\ No newline at end of file

			




	
	
	
		
 
  command: systemctl daemon-reload

			




	
	
	
		
 
  tags:

			




	
	
	
		
 
    # [ANSIBLE0012] Commands should not change things if nothing needs doing

			




	
	
	
		
 
    #   This task is invoked only if user is very specific about requiring to

			




	
	
	
		
 
    #   run the handlers manually as a way to bring the system to consistency

			




	
	
	
		
 
    #   after interrupted runs.

			




	
	
	
		
 
    - skip_ansible_lint

			




        

    


    
    

    

        

                

                    roles/common/tasks/main.yml
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -2,7 +2,7 @@

			




	
	
	
		
 

			




	
	
	
		
 
- name: Enable use of proxy for retrieving system packages via apt

			




	
	
	
		
 
  template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy"

			




	
	
	
		
 
            owner=root group=root mode=644

			




	
	
	
		
 
            owner=root group=root mode=0644

			




	
	
	
		
 
  when: apt_proxy is defined

			




	
	
	
		
 

			




	
	
	
		
 
- name: Disable use of proxy for retrieving system packages via apt

			




	
	
		
 
@@ -10,7 +10,7 @@

			




	
	
	
		
 
  when: apt_proxy is undefined

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy pam-auth-update configuration file for enabling pam_umask

			




	
	
	
		
 
  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root

			




	
	
	
		
 
  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=0644 owner=root group=root

			




	
	
	
		
 
  notify: Update PAM configuration

			




	
	
	
		
 

			




	
	
	
		
 
- name: Set login UMASK

			




	
	
		
 
@@ -21,15 +21,15 @@

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy bash profile configuration for fancier prompts

			




	
	
	
		
 
  template: src="bash_prompt.sh.j2" dest="/etc/profile.d/bash_prompt.sh"

			




	
	
	
		
 
            owner=root group=root mode=644

			




	
	
	
		
 
            owner=root group=root mode=0644

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy profile configuration that allows for user-specific profile.d files

			




	
	
	
		
 
  copy: src="user_profile_d.sh" dest="/etc/profile.d/z99-user_profile_d.sh"

			




	
	
	
		
 
        owner=root group=root mode=644

			




	
	
	
		
 
        owner=root group=root mode=0644

			




	
	
	
		
 

			




	
	
	
		
 
- name: Replace default and skeleton bashrc

			




	
	
	
		
 
  copy: src="{{ item.key }}" dest="{{ item.value }}"

			




	
	
	
		
 
        owner=root group=root mode=644

			




	
	
	
		
 
        owner=root group=root mode=0644

			




	
	
	
		
 
  with_dict:

			




	
	
	
		
 
    skel_bashrc: "/etc/skel/.bashrc"

			




	
	
	
		
 
    bashrc: "/etc/bash.bashrc"

			




	
	
		
 
@@ -40,7 +40,7 @@

			




	
	
	
		
 

			




	
	
	
		
 
- name: Replace stock bashrc for root account with skeleton one

			




	
	
	
		
 
  copy: src="skel_bashrc" dest="/root/.bashrc"

			




	
	
	
		
 
        owner=root group=root mode=640

			




	
	
	
		
 
        owner=root group=root mode=0640

			




	
	
	
		
 
  when: root_bashrc_stat.stat.checksum == "b737c392222ddac2271cc8d0d8cc0308d08cf458"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Install sudo

			




	
	
		
 
@@ -62,7 +62,7 @@

			




	
	
	
		
 

			




	
	
	
		
 
- name: Disable electric-indent-mode for Emacs by default for all users

			




	
	
	
		
 
  copy: src="01disable-electric-indent-mode.el" dest="/etc/emacs/site-start.d/01disable-electric-indent-mode.el"

			




	
	
	
		
 
        owner=root group=root mode=644

			




	
	
	
		
 
        owner=root group=root mode=0644

			




	
	
	
		
 
  when: "'emacs24' in common_packages or 'emacs24-nox' in common_packages"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Set-up operating system groups

			




	
	
		
 
@@ -96,24 +96,30 @@

			




	
	
	
		
 
    - Restart SSH

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy CA certificates

			




	
	
	
		
 
  copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=644 owner=root group=root

			




	
	
	
		
 
  copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=0644 owner=root group=root

			




	
	
	
		
 
  with_dict: "{{ ca_certificates }}"

			




	
	
	
		
 
  register: deploy_ca_certificates_result

			




	
	
	
		
 

			




	
	
	
		
 
- name: Update CA certificate cache

			




	
	
	
		
 
  command: /usr/sbin/update-ca-certificates --fresh

			




	
	
	
		
 
  when: deploy_ca_certificates_result.changed

			




	
	
	
		
 
  tags:

			




	
	
	
		
 
    # [ANSIBLE0016] Tasks that run when changed should likely be handlers

			




	
	
	
		
 
    #   CA certificate cache must be updated immediatelly in order for

			




	
	
	
		
 
    #   applications depending on deployed CA certificates can use them to

			




	
	
	
		
 
    #   validate server/client certificates.

			




	
	
	
		
 
    - skip_ansible_lint

			




	
	
	
		
 

			




	
	
	
		
 
- name: Install ferm (for firewall management)

			




	
	
	
		
 
  apt: name=ferm state=installed

			




	
	
	
		
 

			




	
	
	
		
 
- name: Configure ferm init script coniguration file

			




	
	
	
		
 
  copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644

			




	
	
	
		
 
  copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=0644

			




	
	
	
		
 
  notify:

			




	
	
	
		
 
    - Restart ferm

			




	
	
	
		
 

			




	
	
	
		
 
- name: Create directory for storing ferm configuration files

			




	
	
	
		
 
  file: dest="/etc/ferm/conf.d/" mode=750 state=directory owner=root group=root

			




	
	
	
		
 
  file: dest="/etc/ferm/conf.d/" mode=0750 state=directory owner=root group=root

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy main ferm configuration file

			




	
	
	
		
 
  copy: src=ferm.conf dest=/etc/ferm/ferm.conf

			




	
	
		
 
@@ -122,7 +128,7 @@

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy ferm base rules

			




	
	
	
		
 
  template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf

			




	
	
	
		
 
            owner=root group=root mode=640

			




	
	
	
		
 
            owner=root group=root mode=0640

			




	
	
	
		
 
  notify:

			




	
	
	
		
 
    - Restart ferm

			




	
	
	
		
 

			




	
	
		
 
@@ -136,11 +142,11 @@

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy script for validating server certificates

			




	
	
	
		
 
  copy: src="check_certificate.sh" dest="/usr/local/bin/check_certificate.sh"

			




	
	
	
		
 
        owner=root group=root mode=755

			




	
	
	
		
 
        owner=root group=root mode=0755

			




	
	
	
		
 

			




	
	
	
		
 
- name: Set-up directory for holding configuration for certificate validation script

			




	
	
	
		
 
  file: path="/etc/check_certificate" state="directory"

			




	
	
	
		
 
        owner="root" group="root" mode="755"

			




	
	
	
		
 
        owner="root" group="root" mode="0755"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy crontab entry for checking certificates

			




	
	
	
		
 
  cron: name="check_certificate" cron_file="check_certificate" hour=0 minute=0 job="/usr/local/bin/check_certificate.sh expiration"

			




	
	
		
 
@@ -165,34 +171,43 @@

			




	
	
	
		
 
        owner="pipreqcheck" group="pipreqcheck" mode="0750"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Create Python virtual environment used for installing/running pip-tools

			




	
	
	
		
 
  become: yes

			




	
	
	
		
 
  become_user: "pipreqcheck"

			




	
	
	
		
 
  command: /usr/bin/virtualenv --prompt "(pipreqcheck)" "/var/lib/pipreqcheck/virtualenv" creates="/var/lib/pipreqcheck/virtualenv/bin/activate"

			




	
	
	
		
 
  tags:

			




	
	
	
		
 
    # [ANSIBLE0012] Commands should not change things if nothing needs doing

			




	
	
	
		
 
    #   Command will not run if the virtualenv has already been created,

			




	
	
	
		
 
    #   therefore the warning is a false positive.

			




	
	
	
		
 
    - skip_ansible_lint

			




	
	
	
		
 

			




	
	
	
		
 
- name: Create directory for storing pip requirements files

			




	
	
	
		
 
  file: path="/etc/pip_check_requirements_upgrades" state="directory"

			




	
	
	
		
 
        owner="root" group="pipreqcheck" mode=750

			




	
	
	
		
 
        owner="root" group="pipreqcheck" mode=0750

			




	
	
	
		
 

			




	
	
	
		
 
- name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself

			




	
	
	
		
 
  file: path="/etc/pip_check_requirements_upgrades/pipreqcheck" state="directory"

			




	
	
	
		
 
        owner="root" group="pipreqcheck" mode=750

			




	
	
	
		
 
        owner="root" group="pipreqcheck" mode=0750

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy .in file for pip requirements in pip-tools virtual environment

			




	
	
	
		
 
  copy: src="pipreqcheck_requirements.in" dest="/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in"

			




	
	
	
		
 
        owner="root" group="pipreqcheck" mode=640

			




	
	
	
		
 
        owner="root" group="pipreqcheck" mode=0640

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy requirements file for pipreqcheck virtual environment

			




	
	
	
		
 
  template: src="pipreqcheck_requirements.txt.j2" dest="/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"

			




	
	
	
		
 
            owner="root" group="pipreqcheck" mode=640

			




	
	
	
		
 
            owner="root" group="pipreqcheck" mode=0640

			




	
	
	
		
 

			




	
	
	
		
 
- name: Install latest pip in pip-tools virtual environment

			




	
	
	
		
 
  become: yes

			




	
	
	
		
 
  become_user: "pipreqcheck"

			




	
	
	
		
 
  pip: name=pip state=latest virtualenv="~pipreqcheck/virtualenv"

			




	
	
	
		
 
  pip: name="pip>=9.0.0,<10.0.0" virtualenv="~pipreqcheck/virtualenv"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Install pip-tools if not present

			




	
	
	
		
 
  become: yes

			




	
	
	
		
 
  become_user: "pipreqcheck"

			




	
	
	
		
 
  pip: name=pip-tools state=present virtualenv="~pipreqcheck/virtualenv"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Synchronise pip-tools virtual environment via deployed requirements file

			




	
	
	
		
 
  become: yes

			




	
	
	
		
 
  become_user: "pipreqcheck"

			




	
	
	
		
 
  shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"

			




	
	
	
		
 
  args:

			




	
	
		
 
@@ -202,11 +217,11 @@

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy script for checking available upgrades

			




	
	
	
		
 
  copy: src="pip_check_requirements_upgrades.sh" dest="/usr/local/bin/pip_check_requirements_upgrades.sh"

			




	
	
	
		
 
        owner=root group=root mode=755

			




	
	
	
		
 
        owner=root group=root mode=0755

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy crontab entry for checking pip requirements

			




	
	
	
		
 
  copy: src="cron_check_pip_requirements" dest="/etc/cron.d/check_pip_requirements"

			




	
	
	
		
 
        owner="root" group="root" mode=644

			




	
	
	
		
 
        owner="root" group="root" mode=0644

			




	
	
	
		
 

			




	
	
	
		
 
- name: Explicitly run all handlers

			




	
	
	
		
 
  include: ../handlers/main.yml

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.