diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index a00536bfd5690bab774f1e4e8058e0d18a3a478c..d46c144af2bf070bfba9447ce9f6708863cdc171 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -4,7 +4,7 @@ # =========== - name: Drop deprecated directories and files - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -13,7 +13,7 @@ - "/etc/cron.d/check_pip_requirements-py3" - name: Drop deprecated packages - apt: + ansible.builtin.apt: name: - ntp - ntpdate @@ -24,7 +24,7 @@ # =================== - name: Enable use of proxy for retrieving system packages via apt - template: + ansible.builtin.template: src: "apt_proxy.j2" dest: "/etc/apt/apt.conf.d/00proxy" owner: root @@ -33,13 +33,13 @@ when: apt_proxy is defined - name: Disable use of proxy for retrieving system packages via apt - file: + ansible.builtin.file: path: "/etc/apt/apt.conf.d/00proxy" state: absent when: apt_proxy is undefined - name: Deploy pam-auth-update configuration file for enabling pam_umask - copy: + ansible.builtin.copy: src: "pam_umask" dest: "/usr/share/pam-configs/umask" owner: root @@ -55,12 +55,12 @@ # subsequent playbook runs, make sure the PAM configuration is # updated immediatelly. This way any files created by commands etc # should end-up with correct permissions straight away. - command: "/usr/sbin/pam-auth-update --package" + ansible.builtin.command: "/usr/sbin/pam-auth-update --package" when: pam_umask.changed changed_when: true # Always results in change due to task logic. - name: Set login UMASK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/login.defs" state: present backrefs: true @@ -68,7 +68,7 @@ line: 'UMASK\g<1>027' - name: Set home directory mask - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/adduser.conf" state: present backrefs: true @@ -76,7 +76,7 @@ line: 'DIR_MODE=0750' - name: Deploy bash profile configuration for fancier prompts - template: + ansible.builtin.template: src: "bash_prompt.sh.j2" dest: "/etc/profile.d/bash_prompt.sh" owner: root @@ -84,7 +84,7 @@ mode: "0644" - name: Deploy profile configuration that allows for user-specific profile.d files - copy: + ansible.builtin.copy: src: "user_profile_d.sh" dest: "/etc/profile.d/z99-user_profile_d.sh" owner: root @@ -92,7 +92,7 @@ mode: "0644" - name: Replace default and skeleton bashrc - copy: + ansible.builtin.copy: src: "{{ item.key }}" dest: "{{ item.value }}" owner: root @@ -103,12 +103,12 @@ skel_bashrc: "/etc/skel/.bashrc" - name: Calculate stock checksum for bashrc root account - stat: + ansible.builtin.stat: path: "/root/.bashrc" register: root_bashrc_stat - name: Replace stock bashrc for root account with skeleton one - copy: + ansible.builtin.copy: src: "skel_bashrc" dest: "/root/.bashrc" owner: root @@ -119,22 +119,22 @@ root_bashrc_stat.stat.checksum == "1a422a148ad225aa5ba33f8dafd2b7cfcdbd701f" - name: Install sudo - apt: + ansible.builtin.apt: name: sudo state: present - name: Install ssl-cert package - apt: + ansible.builtin.apt: name: ssl-cert state: present - name: Install common packages - apt: + ansible.builtin.apt: name: "{{ common_packages }}" state: "present" - name: Disable electric-indent-mode for Emacs by default for all users - copy: + ansible.builtin.copy: src: "01disable-electric-indent-mode.el" dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el" owner: root @@ -143,34 +143,34 @@ when: "['emacs24', 'emacs24-nox', 'emacs25', 'emacs25-nox', 'emacs', 'emacs-nox'] | intersect(common_packages) | length > 0" - name: Set-up operating system groups - group: + ansible.builtin.group: name: "{{ item.name }}" gid: "{{ item.gid | default(omit) }}" state: present with_items: "{{ os_groups }}" - name: Set-up operating system user groups - group: + ansible.builtin.group: name: "{{ item.name }}" gid: "{{ item.uid | default(omit) }}" state: present with_items: "{{ os_users }}" - name: Set-up operating system users - user: + ansible.builtin.user: name: "{{ item.name }}" uid: "{{ item.uid | default(omit) }}" group: "{{ item.name }}" groups: "{{ ','.join(item.additional_groups | default([])) }}" append: true - shell: /bin/bash + ansible.builtin.shell: /bin/bash state: present password: "{{ item.password | default('!') }}" update_password: on_create with_items: "{{ os_users }}" - name: Set-up authorised keys - authorized_key: + ansible.posix.authorized_key: user: "{{ item.0.name }}" key: "{{ item.1 }}" with_subelements: @@ -178,7 +178,7 @@ - authorized_keys - name: Disable remote logins for root - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/ssh/sshd_config" state: present regexp: "^PermitRootLogin" @@ -187,7 +187,7 @@ - Restart SSH - name: Disable remote login authentication via password - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/ssh/sshd_config" state: present regexp: "^PasswordAuthentication" @@ -196,7 +196,7 @@ - Restart SSH - name: Deploy CA certificates - copy: + ansible.builtin.copy: content: "{{ item.value }}" dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt" owner: root @@ -210,12 +210,12 @@ # CA certificate cache must be updated immediatelly in order for # applications depending on deployed CA certificates can use them to # validate server/client certificates. - command: "/usr/sbin/update-ca-certificates --fresh" + ansible.builtin.command: "/usr/sbin/update-ca-certificates --fresh" when: deploy_ca_certificates_result.changed changed_when: true # Always results in change due to task logic. - name: Set-up file diversions for custom files that overrride package-provided ones - command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'" + ansible.builtin.command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'" register: "dpkg_divert" changed_when: "'Adding' in dpkg_divert.stdout" with_items: @@ -224,7 +224,7 @@ - Restart ferm - name: Deploy the patched ferm binary that disables use of legacy iptables - copy: + ansible.builtin.copy: src: ferm_binary dest: /usr/sbin/ferm owner: root @@ -234,12 +234,12 @@ - Restart ferm - name: Install ferm (for firewall management) - apt: + ansible.builtin.apt: name: ferm state: present - name: Configure ferm init script coniguration file - copy: + ansible.builtin.copy: src: "ferm_default" dest: "/etc/default/ferm" owner: root @@ -249,7 +249,7 @@ - Restart ferm - name: Create directory for storing ferm configuration files - file: + ansible.builtin.file: dest: "/etc/ferm/conf.d/" state: directory owner: root @@ -257,7 +257,7 @@ mode: "0750" - name: Deploy main ferm configuration file - copy: + ansible.builtin.copy: src: "ferm.conf" dest: "/etc/ferm/ferm.conf" owner: root @@ -267,13 +267,13 @@ - Restart ferm - name: Verify maintenance_allowed_sources parameter - fail: + ansible.builtin.fail: msg: "Items in maintenance_allowed_sources must IPv4/IPv6 addresses or subnets: {{ item }}" when: "not (item is ansible.utils.ipv4_address or item is ansible.utils.ipv6_address)" with_items: "{{ maintenance_allowed_sources }}" - name: Deploy ferm base rules - template: + ansible.builtin.template: src: "00-base.conf.j2" dest: "/etc/ferm/conf.d/00-base.conf" owner: root @@ -283,13 +283,13 @@ - Restart ferm - name: Enable and start ferm - service: + ansible.builtin.service: name: ferm state: started enabled: true - name: Deploy script for flushing legacy iptables rules - copy: + ansible.builtin.copy: src: "legacy_iptables_rules.sh" dest: "/usr/local/sbin/drop_legacy_iptables_rules.sh" owner: root @@ -297,14 +297,14 @@ mode: "0755" - name: Drop legacy iptables rules - command: "/usr/local/sbin/drop_legacy_iptables_rules.sh remove" + ansible.builtin.command: "/usr/local/sbin/drop_legacy_iptables_rules.sh remove" register: legacy_iptables_rules changed_when: "'Removed legacy iptables for families' in legacy_iptables_rules.stdout" notify: - Restart ferm - name: Deploy script for validating server certificates - copy: + ansible.builtin.copy: src: "check_certificate.sh" dest: "/usr/local/bin/check_certificate.sh" owner: root @@ -312,7 +312,7 @@ mode: "0755" - name: Set-up directory for holding configuration for certificate validation script - file: + ansible.builtin.file: path: "/etc/check_certificate" state: "directory" owner: root @@ -320,7 +320,7 @@ mode: "0755" - name: Deploy crontab entry for checking certificates - cron: + ansible.builtin.cron: name: "check_certificate" cron_file: "check_certificate" hour: "0" @@ -330,31 +330,31 @@ user: nobody - name: Install apticron (for checking available upgrades) - apt: + ansible.builtin.apt: name: apticron state: present # It would be too much hassle to detect changed state, so just ignore it. - name: Preventively run apticron to avoid issues with locking - command: /usr/sbin/apticron --cron + ansible.builtin.command: /usr/sbin/apticron --cron changed_when: false # Implementation for checking pip requirements files via via pip-tools. - name: Install packages required for running pip requirements checks - apt: + ansible.builtin.apt: name: - python3-setuptools - virtualenv state: present - name: Create dedicated group for user running pip requirements checks - group: + ansible.builtin.group: name: "pipreqcheck" gid: "{{ pipreqcheck_gid | default(omit) }}" state: present - name: Create user for running pip requirements checks - user: + ansible.builtin.user: name: "pipreqcheck" uid: "{{ pipreqcheck_uid | default(omit) }}" group: "pipreqcheck" @@ -362,7 +362,7 @@ state: present - name: Retrieve system Python interpreter version - command: + ansible.builtin.command: argv: - "/usr/bin/python3" - "-c" @@ -371,7 +371,7 @@ register: python_interpreter_version - name: Retrieve virtual environment Python interpreter version (if initialised) - command: + ansible.builtin.command: argv: - "/var/lib/pipreqcheck/virtualenv/bin/python" - "-c" @@ -384,7 +384,7 @@ register: virtualenv_python_version - name: Retrieve virtual environment prompt - command: + ansible.builtin.command: argv: - "bash" - "-c" @@ -396,7 +396,7 @@ register: current_virtualenv_prompt - name: Remove virtual environment in case of mismatches - file: + ansible.builtin.file: path: "/var/lib/pipreqcheck/virtualenv" state: absent when: | @@ -405,7 +405,7 @@ current_virtualenv_prompt.stdout != "(pipreqcheck) " - name: Create directory for Python virtual environment used for installing/running pip-tools - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: pipreqcheck @@ -416,7 +416,7 @@ - "/var/lib/pipreqcheck/virtualenv" - name: Create Python virtual environment used for installing/running pip-tools - command: "/usr/bin/virtualenv --python '{{ item.python_path }}' --prompt '{{ item.virtualenv_prompt }}' '{{ item.virtualenv_path }}'" + ansible.builtin.command: "/usr/bin/virtualenv --python '{{ item.python_path }}' --prompt '{{ item.virtualenv_prompt }}' '{{ item.virtualenv_path }}'" args: creates: "{{ item.creates }}" become: true @@ -429,7 +429,7 @@ creates: "/var/lib/pipreqcheck/virtualenv/bin/python3" - name: Create directory for storing pip requirements files - file: + ansible.builtin.file: path: "{{ item }}" state: "directory" owner: root @@ -439,7 +439,7 @@ - "/etc/pip_check_requirements_upgrades" - name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself - file: + ansible.builtin.file: path: "{{ item }}" state: "directory" owner: root @@ -449,7 +449,7 @@ - "/etc/pip_check_requirements_upgrades/pipreqcheck" - name: Deploy .in file for pip requirements in pip-tools virtual environment - template: + ansible.builtin.template: src: "pipreqcheck_requirements.in.j2" dest: "{{ item.path }}" owner: root @@ -460,7 +460,7 @@ requirements: "{{ pip_check_requirements_in }}" - name: Deploy requirements file for pipreqcheck virtual environment - template: + ansible.builtin.template: src: "pipreqcheck_requirements.txt.j2" dest: "{{ item.file }}" owner: root @@ -471,7 +471,7 @@ requirements: "{{ pip_check_requirements }}" - name: Install requirements in the pipreqcheck virtual environment - pip: + ansible.builtin.pip: requirements: "{{ item.requirements }}" virtualenv: "{{ item.virtualenv }}" become: true @@ -481,7 +481,7 @@ requirements: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" - name: Synchronise pip-tools virtual environment via deployed requirements file - shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" + ansible.builtin.shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" args: executable: /bin/bash become: true @@ -490,7 +490,7 @@ changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'" - name: Deploy script for checking available upgrades - copy: + ansible.builtin.copy: src: "pip_check_requirements_upgrades.sh" dest: "/usr/local/bin/pip_check_requirements_upgrades.sh" owner: root @@ -498,7 +498,7 @@ mode: "0755" - name: Deploy crontab entry for checking pip requirements - copy: + ansible.builtin.copy: src: "cron_check_pip_requirements" dest: "/etc/cron.d/check_pip_requirements" owner: root @@ -506,7 +506,7 @@ mode: "0644" - name: Install NTP packages - apt: + ansible.builtin.apt: name: - ntpsec - ntpsec-ntpdate @@ -514,7 +514,7 @@ when: ntp_pools | length > 0 - name: Remove NTP packages - apt: + ansible.builtin.apt: name: - ntpsec - ntpsec-ntpdate @@ -523,7 +523,7 @@ when: ntp_pools | length == 0 - name: Deploy NTP configuration - template: + ansible.builtin.template: src: "ntp.conf.j2" dest: "/etc/ntpsec/ntp.conf" owner: root @@ -534,7 +534,7 @@ - Restart NTP server - name: Explicitly run all handlers - include_tasks: ../handlers/main.yml + ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers