Files @ 61e6cfb81789
Branch filter:

Location: majic-ansible-roles/roles/common/tasks/main.yml

61e6cfb81789 3.4 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-51: Fixed documentation for ansible_key parameter in preseed role. Updated ca_certificates parameter in common role to accept key-value pairs of filenames and certificates to put on remote host (so lookups/inventory can be utilised in more flexible manner). Updated backup_client role to fail if it is not possible to extract encryption key IDs from deployed keys. Moved purging of Exim4 configuration files from handlers to tasks (more robust, and still idempotent). All documentation has been updated as well.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
---

- name: Enable use of proxy for retrieving system packages via apt
  template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy"
            owner=root group=root mode=644
  when: apt_proxy is defined

- name: Disable use of proxy for retrieving system packages via apt
  file: path="/etc/apt/apt.conf.d/00proxy" state=absent
  when: apt_proxy is undefined

- name: Deploy pam-auth-update configuration file for enabling pam_umask
  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root
  notify: Update PAM configuration

- name: Set login UMASK
  lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'

- name: Set home directory mask
  lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'

- name: Install sudo
  apt: name=sudo state=present

- name: Install ssl-cert package
  apt: name=ssl-cert state=present

- name: Install rcconf (workaround for systemctl broken handling of SysV)
  apt: name=rcconf state=present

- name: Install common packages
  apt: name="{{ item }}" state="present"
  with_items: common_packages

- name: Set-up operating system groups
  group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}" state=present
  with_items: os_groups

- name: Set-up operating system user groups
  group: name="{{ item.name }}" gid="{{ item.uid | default(omit) }}" state=present
  with_items: os_users

- name: Set-up operating system users
  user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"
        groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present
        password="{{ item.password | default('!') }}"
  with_items: os_users

- name: Set-up authorised keys
  authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
  with_subelements:
    - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
    - authorized_keys

- name: Disable remote logins for root
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"
  notify:
    - Restart SSH

- name: Disable remote login authentication via password
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
  notify:
    - Restart SSH

- name: Deploy CA certificates
  copy: content="{{ item.value }}" dest="/etc/ssl/certs/{{ item.key }}" mode=644 owner=root group=root
  with_dict: ca_certificates
  notify:
    - Update CA certificate cache

- name: Install ferm (for firewall management)
  apt: name=ferm state=installed

- name: Configure ferm init script coniguration file
  copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644
  notify:
    - Restart ferm

- name: Create directory for storing ferm configuration files
  file: dest="/etc/ferm/conf.d/" mode=750 state=directory owner=root group=root

- name: Deploy main ferm configuration file
  copy: src=ferm.conf dest=/etc/ferm/ferm.conf
  notify:
    - Restart ferm

- name: Deploy ferm base rules
  template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf
            owner=root group=root mode=640
  notify:
    - Restart ferm

- name: Enable ferm service on boot (workaround for systemctl broken handling of SysV)
  command: rcconf -on ferm
  register: result
  changed_when: result.stderr == ""

- name: Enable ferm service
  service: name=ferm state=started
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.