Files
@ e15b53d59517
Branch filter:
Location: majic-ansible-roles/roles/common/tasks/main.yml
e15b53d59517
4.6 KiB
text/x-yaml
MAR-67: Deploy /etc/profile.d/ configuration file that allows reading user-specific profile config files from ~/.profile.d/ directory. Create home directory for web application users in order to get all the fancy colouring etc. Deploy virtual environment activation script inside of wsgi_website role as profile.d script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 | ---
- name: Enable use of proxy for retrieving system packages via apt
template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy"
owner=root group=root mode=644
when: apt_proxy is defined
- name: Disable use of proxy for retrieving system packages via apt
file: path="/etc/apt/apt.conf.d/00proxy" state=absent
when: apt_proxy is undefined
- name: Deploy pam-auth-update configuration file for enabling pam_umask
copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root
notify: Update PAM configuration
- name: Set login UMASK
lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'
- name: Set home directory mask
lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'
- name: Deploy bash profile configuration for fancier prompts
template: src="bash_prompt.sh.j2" dest="/etc/profile.d/bash_prompt.sh"
owner=root group=root mode=644
- name: Deploy profile configuration that allows for user-specific profile.d files
copy: src="user_profile_d.sh" dest="/etc/profile.d/z99-user_profile_d.sh"
owner=root group=root mode=644
- name: Replace default and skeleton bashrc
copy: src="{{ item.key }}" dest="{{ item.value }}"
owner=root group=root mode=644
with_dict:
skel_bashrc: "/etc/skel/.bashrc"
bashrc: "/etc/bash.bashrc"
- name: Install sudo
apt: name=sudo state=present
- name: Install ssl-cert package
apt: name=ssl-cert state=present
- name: Install rcconf (workaround for systemctl broken handling of SysV)
apt: name=rcconf state=present
- name: Install common packages
apt: name="{{ item }}" state="present"
with_items: "{{ common_packages }}"
- name: Disable electric-indent-mode for Emacs by default for all users
copy: src="01disable-electric-indent-mode.el" dest="/etc/emacs/site-start.d/01disable-electric-indent-mode.el"
owner=root group=root mode=644
when: "'emacs24' in common_packages or 'emacs24-nox' in common_packages"
- name: Set-up operating system groups
group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}" state=present
with_items: "{{ os_groups }}"
- name: Set-up operating system user groups
group: name="{{ item.name }}" gid="{{ item.uid | default(omit) }}" state=present
with_items: "{{ os_users }}"
- name: Set-up operating system users
user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"
groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present
password="{{ item.password | default('!') }}" update_password=on_create
with_items: "{{ os_users }}"
- name: Set-up authorised keys
authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
with_subelements:
- "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
- authorized_keys
- name: Disable remote logins for root
lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"
notify:
- Restart SSH
- name: Disable remote login authentication via password
lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
notify:
- Restart SSH
- name: Deploy CA certificates
copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=644 owner=root group=root
with_dict: "{{ ca_certificates }}"
register: deploy_ca_certificates_result
- name: Update CA certificate cache
command: /usr/sbin/update-ca-certificates --fresh
when: deploy_ca_certificates_result.changed
- name: Install ferm (for firewall management)
apt: name=ferm state=installed
- name: Configure ferm init script coniguration file
copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=644
notify:
- Restart ferm
- name: Create directory for storing ferm configuration files
file: dest="/etc/ferm/conf.d/" mode=750 state=directory owner=root group=root
- name: Deploy main ferm configuration file
copy: src=ferm.conf dest=/etc/ferm/ferm.conf
notify:
- Restart ferm
- name: Deploy ferm base rules
template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf
owner=root group=root mode=640
notify:
- Restart ferm
- name: Enable ferm service on boot (workaround for systemctl broken handling of SysV)
command: rcconf -on ferm
register: result
changed_when: result.stderr == ""
- name: Enable ferm service
service: name=ferm state=started
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "handlers | default(False) | bool() == True"
tags:
- handlers
|