Files @ 32f61f233098
Branch filter:

Location: majic-ansible-roles/roles/common/tasks/main.yml

32f61f233098 4.0 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
Noticket: Fixed documentation and examples for CA certificate deployment in common role. Fixed usage instructions, mainly some syntax changes and more explicit listing of parameters and such. Fixed path to truststore file for mail_forwarder role. Fixed testsite configurtion for CA certificates.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
---

- name: Enable use of proxy for retrieving system packages via apt
  template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy"
            owner=root group=root mode=644
  when: apt_proxy is defined

- name: Disable use of proxy for retrieving system packages via apt
  file: path="/etc/apt/apt.conf.d/00proxy" state=absent
  when: apt_proxy is undefined

- name: Deploy pam-auth-update configuration file for enabling pam_umask
  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root
  notify: Update PAM configuration

- name: Set login UMASK
  lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'

- name: Set home directory mask
  lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'

- name: Deploy bash profile configuration for fancier prompts
  template: src="bash_prompt.sh.j2" dest="/etc/profile.d/bash_prompt.sh"
            owner=root group=root mode=644

- name: Replace default and skeleton bashrc
  copy: src="{{ item.key }}" dest="{{ item.value }}"
        owner=root group=root mode=644
  with_dict:
    skel_bashrc: "/etc/skel/.bashrc"
    bashrc: "/etc/bash.bashrc"

- name: Install sudo
  apt: name=sudo state=present

- name: Install ssl-cert package
  apt: name=ssl-cert state=present

- name: Install rcconf (workaround for systemctl broken handling of SysV)
  apt: name=rcconf state=present

- name: Install common packages
  apt: name="{{ item }}" state="present"
  with_items: "{{ common_packages }}"

- name: Set-up operating system groups
  group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}" state=present
  with_items: "{{ os_groups }}"

- name: Set-up operating system user groups
  group: name="{{ item.name }}" gid="{{ item.uid | default(omit) }}" state=present
  with_items: "{{ os_users }}"

- name: Set-up operating system users
  user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"
        groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present
        password="{{ item.password | default('!') }}" update_password=on_create
  with_items: "{{ os_users }}"

- name: Set-up authorised keys
  authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
  with_subelements:
    - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
    - authorized_keys

- name: Disable remote logins for root
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"
  notify:
    - Restart SSH

- name: Disable remote login authentication via password
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
  notify:
    - Restart SSH

- name: Deploy CA certificates
  copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=644 owner=root group=root
  with_dict: "{{ ca_certificates }}"
  notify:
    - Update CA certificate cache

- name: Install ferm (for firewall management)
  apt: name=ferm state=installed

- name: Configure ferm init script coniguration file
  copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644
  notify:
    - Restart ferm

- name: Create directory for storing ferm configuration files
  file: dest="/etc/ferm/conf.d/" mode=750 state=directory owner=root group=root

- name: Deploy main ferm configuration file
  copy: src=ferm.conf dest=/etc/ferm/ferm.conf
  notify:
    - Restart ferm

- name: Deploy ferm base rules
  template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf
            owner=root group=root mode=640
  notify:
    - Restart ferm

- name: Enable ferm service on boot (workaround for systemctl broken handling of SysV)
  command: rcconf -on ferm
  register: result
  changed_when: result.stderr == ""

- name: Enable ferm service
  service: name=ferm state=started

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.