Files @ 5ea45eee5187
Branch filter:

Location: majic-ansible-roles/roles/common/tasks/main.yml

branko
MAR-124: Updated mail_forwarder test_tls_enforced_towards_relay_mail_server to be a bit robust against race condition.
---

- name: Enable use of proxy for retrieving system packages via apt
  template:
    src: "apt_proxy.j2"
    dest: "/etc/apt/apt.conf.d/00proxy"
    owner: root
    group: root
    mode: 0644
  when: apt_proxy is defined

- name: Disable use of proxy for retrieving system packages via apt
  file:
    path: "/etc/apt/apt.conf.d/00proxy"
    state: absent
  when: apt_proxy is undefined

- name: Deploy pam-auth-update configuration file for enabling pam_umask
  copy:
    src: "pam_umask"
    dest: "/usr/share/pam-configs/umask"
    owner: root
    group: root
    mode: 0644
  notify:
    - Update PAM configuration

- name: Set login UMASK
  lineinfile:
    dest: "/etc/login.defs"
    state: present
    backrefs: yes
    regexp: '^UMASK(\s+)'
    line: 'UMASK\g<1>027'

- name: Set home directory mask
  lineinfile:
    dest: "/etc/adduser.conf"
    state: present
    backrefs: yes
    regexp: '^DIR_MODE='
    line: 'DIR_MODE=0750'

- name: Deploy bash profile configuration for fancier prompts
  template:
    src: "bash_prompt.sh.j2"
    dest: "/etc/profile.d/bash_prompt.sh"
    owner: root
    group: root
    mode: 0644

- name: Deploy profile configuration that allows for user-specific profile.d files
  copy:
    src: "user_profile_d.sh"
    dest: "/etc/profile.d/z99-user_profile_d.sh"
    owner: root
    group: root
    mode: 0644

- name: Replace default and skeleton bashrc
  copy:
    src: "{{ item.key }}"
    dest: "{{ item.value }}"
    owner: root
    group: root
    mode: 0644
  with_dict:
    bashrc: "/etc/bash.bashrc"
    skel_bashrc: "/etc/skel/.bashrc"

- name: Calculate stock checksum for bashrc root account
  stat:
    path: "/root/.bashrc"
  register: root_bashrc_stat

- name: Replace stock bashrc for root account with skeleton one
  copy:
    src: "skel_bashrc"
    dest: "/root/.bashrc"
    owner: root
    group: root
    mode: 0640
  when: root_bashrc_stat.stat.checksum == "b737c392222ddac2271cc8d0d8cc0308d08cf458"

- name: Install sudo
  apt:
    name: sudo
    state: present

- name: Install ssl-cert package
  apt:
    name: ssl-cert
    state: present

- name: Install rcconf (workaround for systemctl broken handling of SysV)
  apt:
    name: rcconf
    state: present

- name: Install common packages
  apt:
    name: "{{ item }}"
    state: "present"
  with_items: "{{ common_packages }}"

- name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996)
  file:
    src: "/usr/bin/mariadb_config"
    dest: "/usr/bin/mysql_config"
    state: link
  when: "'libmariadb-client-lgpl-dev-compat' in common_packages and ansible_distribution_release == 'jessie'"

- name: Disable electric-indent-mode for Emacs by default for all users
  copy:
    src: "01disable-electric-indent-mode.el"
    dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el"
    owner: root
    group: root
    mode: 0644
  when: "'emacs24' in common_packages or 'emacs24-nox' in common_packages"

- name: Set-up operating system groups
  group:
    name: "{{ item.name }}"
    gid: "{{ item.gid | default(omit) }}"
    state: present
  with_items: "{{ os_groups }}"

- name: Set-up operating system user groups
  group:
    name: "{{ item.name }}"
    gid: "{{ item.uid | default(omit) }}"
    state: present
  with_items: "{{ os_users }}"

- name: Set-up operating system users
  user:
    name: "{{ item.name }}"
    uid: "{{ item.uid | default(omit) }}"
    group: "{{ item.name }}"
    groups: "{{ ','.join(item.additional_groups | default([])) }}"
    append: yes
    shell: /bin/bash
    state: present
    password: "{{ item.password | default('!') }}"
    update_password: on_create
  with_items: "{{ os_users }}"

- name: Set-up authorised keys
  authorized_key:
    user: "{{ item.0.name }}"
    key: "{{ item.1 }}"
  with_subelements:
    - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
    - authorized_keys

- name: Disable remote logins for root
  lineinfile:
    dest: "/etc/ssh/sshd_config"
    state: present
    regexp: "^PermitRootLogin"
    line: "PermitRootLogin no"
  notify:
    - Restart SSH

- name: Disable remote login authentication via password
  lineinfile:
    dest: "/etc/ssh/sshd_config"
    state: present
    regexp: "^PasswordAuthentication"
    line: "PasswordAuthentication no"
  notify:
    - Restart SSH

- name: Deploy CA certificates
  copy:
    content: "{{ item.value }}"
    dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt"
    owner: root
    group: root
    mode: 0644
  with_dict: "{{ ca_certificates }}"
  register: deploy_ca_certificates_result

- name: Update CA certificate cache
  command: "/usr/sbin/update-ca-certificates --fresh"
  when: deploy_ca_certificates_result.changed
  tags:
    # [ANSIBLE0016] Tasks that run when changed should likely be handlers
    #   CA certificate cache must be updated immediatelly in order for
    #   applications depending on deployed CA certificates can use them to
    #   validate server/client certificates.
    - skip_ansible_lint

- name: Install ferm (for firewall management)
  apt:
    name: ferm
    state: installed

- name: Configure ferm init script coniguration file
  copy:
    src: "ferm"
    dest: "/etc/default/ferm"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart ferm

- name: Create directory for storing ferm configuration files
  file:
    dest: "/etc/ferm/conf.d/"
    state: directory
    owner: root
    group: root
    mode: 0750

- name: Deploy main ferm configuration file
  copy:
    src: "ferm.conf"
    dest: "/etc/ferm/ferm.conf"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart ferm

- name: Deploy ferm base rules
  template:
    src: "00-base.conf.j2"
    dest: "/etc/ferm/conf.d/00-base.conf"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart ferm

- name: Enable ferm service on boot (workaround for systemctl broken handling of SysV)
  command: "rcconf -on ferm"
  register: result
  changed_when: result.stderr == ""

- name: Enable ferm service
  service:
    name: ferm
    state: started

- name: Deploy script for validating server certificates
  copy:
    src: "check_certificate.sh"
    dest: "/usr/local/bin/check_certificate.sh"
    owner: root
    group: root
    mode: 0755

- name: Set-up directory for holding configuration for certificate validation script
  file:
    path: "/etc/check_certificate"
    state: "directory"
    owner: root
    group: root
    mode: 0755

- name: Deploy crontab entry for checking certificates
  cron:
    name: "check_certificate"
    cron_file: "check_certificate"
    hour: 0
    minute: 0
    job: "/usr/local/bin/check_certificate.sh expiration"
    state: present
    user: nobody

- name: Install apticron (for checking available upgrades)
  apt:
    name: apticron
    state: installed

# Implementation for checking pip requirements files via via pip-tools.
- name: Install virtualenv for pip requirements checks
  apt:
    name: virtualenv
    state: installed

- name: Create dedicated group for user running pip requirements checks
  group:
    name: "pipreqcheck"
    gid: "{{ pipreqcheck_gid | default(omit) }}"
    state: present

- name: Create user for running pip requirements checks
  user:
    name: "pipreqcheck"
    uid: "{{ pipreqcheck_uid | default(omit) }}"
    group: "pipreqcheck"
    home: "/var/lib/pipreqcheck"
    state: present

- name: Create directory for Python virtual environment used for installing/running pip-tools
  file:
    path: "/var/lib/pipreqcheck/virtualenv"
    state: directory
    owner: pipreqcheck
    group: pipreqcheck
    mode: 0750

- name: Create Python virtual environment used for installing/running pip-tools
  command: "/usr/bin/virtualenv --prompt '(pipreqcheck)' '/var/lib/pipreqcheck/virtualenv'"
  args:
     creates: '/var/lib/pipreqcheck/virtualenv/bin/activate'
  become: yes
  become_user: "pipreqcheck"
  tags:
    # [ANSIBLE0012] Commands should not change things if nothing needs doing
    #   Command will not run if the virtualenv has already been created,
    #   therefore the warning is a false positive.
    - skip_ansible_lint

- name: Create directory for storing pip requirements files
  file:
    path: "/etc/pip_check_requirements_upgrades"
    state: "directory"
    owner: root
    group: pipreqcheck
    mode: 0750

- name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself
  file:
    path: "/etc/pip_check_requirements_upgrades/pipreqcheck"
    state: "directory"
    owner: root
    group: pipreqcheck
    mode: 0750

- name: Deploy .in file for pip requirements in pip-tools virtual environment
  copy:
    src: "pipreqcheck_requirements.in"
    dest: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in"
    owner: root
    group: pipreqcheck
    mode: 0640

- name: Deploy requirements file for pipreqcheck virtual environment
  template:
    src: "pipreqcheck_requirements.txt.j2"
    dest: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
    owner: root
    group: pipreqcheck
    mode: 0640

- name: Install latest pip in pip-tools virtual environment
  pip:
    name: "pip>=9.0.0,<10.0.0"
    virtualenv: "~pipreqcheck/virtualenv"
  become: yes
  become_user: "pipreqcheck"

- name: Install pip-tools if not present
  pip:
    name: pip-tools
    state: present
    virtualenv: "~pipreqcheck/virtualenv"
  become: yes
  become_user: "pipreqcheck"

- name: Synchronise pip-tools virtual environment via deployed requirements file
  shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
  args:
    executable: /bin/bash
  become: yes
  become_user: "pipreqcheck"
  register: pipreqcheck_pip_sync
  changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'"

- name: Deploy script for checking available upgrades
  copy:
    src: "pip_check_requirements_upgrades.sh"
    dest: "/usr/local/bin/pip_check_requirements_upgrades.sh"
    owner: root
    group: root
    mode: 0755

- name: Deploy crontab entry for checking pip requirements
  copy:
    src: "cron_check_pip_requirements"
    dest: "/etc/cron.d/check_pip_requirements"
    owner: root
    group: root
    mode: 0644

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers