--- - name: Enable use of proxy for retrieving system packages via apt template: src: "apt_proxy.j2" dest: "/etc/apt/apt.conf.d/00proxy" owner: root group: root mode: 0644 when: apt_proxy is defined - name: Disable use of proxy for retrieving system packages via apt file: path: "/etc/apt/apt.conf.d/00proxy" state: absent when: apt_proxy is undefined - name: Deploy pam-auth-update configuration file for enabling pam_umask copy: src: "pam_umask" dest: "/usr/share/pam-configs/umask" owner: root group: root mode: 0644 notify: - Update PAM configuration - name: Set login UMASK lineinfile: dest: "/etc/login.defs" state: present backrefs: true regexp: '^UMASK(\s+)' line: 'UMASK\g<1>027' - name: Set home directory mask lineinfile: dest: "/etc/adduser.conf" state: present backrefs: true regexp: '^DIR_MODE=' line: 'DIR_MODE=0750' - name: Deploy bash profile configuration for fancier prompts template: src: "bash_prompt.sh.j2" dest: "/etc/profile.d/bash_prompt.sh" owner: root group: root mode: 0644 - name: Deploy profile configuration that allows for user-specific profile.d files copy: src: "user_profile_d.sh" dest: "/etc/profile.d/z99-user_profile_d.sh" owner: root group: root mode: 0644 - name: Replace default and skeleton bashrc copy: src: "{{ item.key }}" dest: "{{ item.value }}" owner: root group: root mode: 0644 with_dict: bashrc: "/etc/bash.bashrc" skel_bashrc: "/etc/skel/.bashrc" - name: Calculate stock checksum for bashrc root account stat: path: "/root/.bashrc" register: root_bashrc_stat - name: Replace stock bashrc for root account with skeleton one copy: src: "skel_bashrc" dest: "/root/.bashrc" owner: root group: root mode: 0640 when: root_bashrc_stat.stat.checksum == "b737c392222ddac2271cc8d0d8cc0308d08cf458" - name: Install sudo apt: name: sudo state: present - name: Install ssl-cert package apt: name: ssl-cert state: present - name: Install rcconf (workaround for systemctl broken handling of SysV) apt: name: rcconf state: present - name: Install common packages apt: name: "{{ item }}" state: "present" with_items: "{{ common_packages }}" - name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996) file: src: "/usr/bin/mariadb_config" dest: "/usr/bin/mysql_config" state: link when: "'libmariadb-client-lgpl-dev-compat' in common_packages and ansible_distribution_release == 'jessie'" - name: Disable electric-indent-mode for Emacs by default for all users copy: src: "01disable-electric-indent-mode.el" dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el" owner: root group: root mode: 0644 when: "'emacs24' in common_packages or 'emacs24-nox' in common_packages" - name: Set-up operating system groups group: name: "{{ item.name }}" gid: "{{ item.gid | default(omit) }}" state: present with_items: "{{ os_groups }}" - name: Set-up operating system user groups group: name: "{{ item.name }}" gid: "{{ item.uid | default(omit) }}" state: present with_items: "{{ os_users }}" - name: Set-up operating system users user: name: "{{ item.name }}" uid: "{{ item.uid | default(omit) }}" group: "{{ item.name }}" groups: "{{ ','.join(item.additional_groups | default([])) }}" append: true shell: /bin/bash state: present password: "{{ item.password | default('!') }}" update_password: on_create with_items: "{{ os_users }}" - name: Set-up authorised keys authorized_key: user: "{{ item.0.name }}" key: "{{ item.1 }}" with_subelements: - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}" - authorized_keys - name: Disable remote logins for root lineinfile: dest: "/etc/ssh/sshd_config" state: present regexp: "^PermitRootLogin" line: "PermitRootLogin no" notify: - Restart SSH - name: Disable remote login authentication via password lineinfile: dest: "/etc/ssh/sshd_config" state: present regexp: "^PasswordAuthentication" line: "PasswordAuthentication no" notify: - Restart SSH - name: Deploy CA certificates copy: content: "{{ item.value }}" dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt" owner: root group: root mode: 0644 with_dict: "{{ ca_certificates }}" register: deploy_ca_certificates_result - name: Update CA certificate cache command: "/usr/sbin/update-ca-certificates --fresh" when: deploy_ca_certificates_result.changed tags: # [ANSIBLE0016] Tasks that run when changed should likely be handlers # CA certificate cache must be updated immediatelly in order for # applications depending on deployed CA certificates can use them to # validate server/client certificates. - skip_ansible_lint - name: Install ferm (for firewall management) apt: name: ferm state: present - name: Configure ferm init script coniguration file copy: src: "ferm" dest: "/etc/default/ferm" owner: root group: root mode: 0644 notify: - Restart ferm - name: Create directory for storing ferm configuration files file: dest: "/etc/ferm/conf.d/" state: directory owner: root group: root mode: 0750 - name: Deploy main ferm configuration file copy: src: "ferm.conf" dest: "/etc/ferm/ferm.conf" owner: root group: root mode: 0640 notify: - Restart ferm - name: Deploy ferm base rules template: src: "00-base.conf.j2" dest: "/etc/ferm/conf.d/00-base.conf" owner: root group: root mode: 0640 notify: - Restart ferm - name: Enable ferm service on boot (workaround for systemctl broken handling of SysV) command: "rcconf -on ferm" register: result changed_when: result.stderr == "" - name: Enable ferm service service: name: ferm state: started - name: Deploy script for validating server certificates copy: src: "check_certificate.sh" dest: "/usr/local/bin/check_certificate.sh" owner: root group: root mode: 0755 - name: Set-up directory for holding configuration for certificate validation script file: path: "/etc/check_certificate" state: "directory" owner: root group: root mode: 0755 - name: Deploy crontab entry for checking certificates cron: name: "check_certificate" cron_file: "check_certificate" hour: 0 minute: 0 job: "/usr/local/bin/check_certificate.sh -q expiration" state: present user: nobody - name: Install apticron (for checking available upgrades) apt: name: apticron state: present # Implementation for checking pip requirements files via via pip-tools. - name: Install virtualenv for pip requirements checks apt: name: virtualenv state: present - name: Create dedicated group for user running pip requirements checks group: name: "pipreqcheck" gid: "{{ pipreqcheck_gid | default(omit) }}" state: present - name: Create user for running pip requirements checks user: name: "pipreqcheck" uid: "{{ pipreqcheck_uid | default(omit) }}" group: "pipreqcheck" home: "/var/lib/pipreqcheck" state: present - name: Create directory for Python virtual environment used for installing/running pip-tools file: path: "{{ item }}" state: directory owner: pipreqcheck group: pipreqcheck mode: 0750 with_items: - "/var/lib/pipreqcheck/virtualenv" - "/var/lib/pipreqcheck/virtualenv-py3" - name: Create Python virtual environment used for installing/running pip-tools command: "/usr/bin/virtualenv --prompt '({{ item.key }})' '{{ item.value }}'" args: creates: '/var/lib/pipreqcheck/virtualenv/bin/activate' become: true become_user: "pipreqcheck" with_dict: pipreqcheck: "/var/lib/pipreqcheck/virtualenv" pipreqcheck-py3: "/var/lib/pipreqcheck/virtualenv-py3" tags: # [ANSIBLE0012] Commands should not change things if nothing needs doing # Command will not run if the virtualenv has already been created, # therefore the warning is a false positive. - skip_ansible_lint - name: Create directory for storing pip requirements files file: path: "{{ item }}" state: "directory" owner: root group: pipreqcheck mode: 0750 with_items: - "/etc/pip_check_requirements_upgrades" - "/etc/pip_check_requirements_upgrades-py3" - name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself file: path: "{{ item }}" state: "directory" owner: root group: pipreqcheck mode: 0750 with_items: - "/etc/pip_check_requirements_upgrades/pipreqcheck" - "/etc/pip_check_requirements_upgrades-py3/pipreqcheck" - name: Deploy .in file for pip requirements in pip-tools virtual environment copy: src: "pipreqcheck_requirements.in" dest: "{{ item }}" owner: root group: pipreqcheck mode: 0640 with_items: - "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in" - "/etc/pip_check_requirements_upgrades-py3/pipreqcheck/requirements.in" - name: Deploy requirements file for pipreqcheck virtual environment template: src: "pipreqcheck_requirements.txt.j2" dest: "{{ item }}" owner: root group: pipreqcheck mode: 0640 with_items: - "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" - "/etc/pip_check_requirements_upgrades-py3/pipreqcheck/requirements.txt" - name: Install latest pip in pip-tools virtual environment pip: name: - "pip>=18.0.0,<19.0.0" virtualenv: "{{ item }}" become: true become_user: "pipreqcheck" with_items: - "~pipreqcheck/virtualenv" - "~pipreqcheck/virtualenv-py3" - name: Install pip-tools if not present pip: name: pip-tools state: present virtualenv: "{{ item }}" become: true become_user: "pipreqcheck" with_items: - "~pipreqcheck/virtualenv" - "~pipreqcheck/virtualenv-py3" - name: Synchronise pip-tools virtual environment via deployed requirements file (Python 2) shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt" args: executable: /bin/bash become: true become_user: "pipreqcheck" register: pipreqcheck_pip_sync changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'" - name: Synchronise pip-tools virtual environment via deployed requirements file (Python 3) shell: "source ~pipreqcheck/virtualenv-py3/bin/activate && pip-sync /etc/pip_check_requirements_upgrades-py3/pipreqcheck/requirements.txt" args: executable: /bin/bash become: true become_user: "pipreqcheck" register: pipreqcheck_pip_sync changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'" - name: Deploy script for checking available upgrades copy: src: "pip_check_requirements_upgrades.sh" dest: "/usr/local/bin/pip_check_requirements_upgrades.sh" owner: root group: root mode: 0755 - name: Deploy crontab entry for checking pip requirements copy: src: "cron_check_pip_requirements" dest: "/etc/cron.d/check_pip_requirements" owner: root group: root mode: 0644 - name: Deploy crontab entry for checking pip requirements copy: src: "cron_check_pip_requirements-py3" dest: "/etc/cron.d/check_pip_requirements-py3" owner: root group: root mode: 0644 - name: Install NTP packages apt: name: - ntp - ntpdate state: present when: ntp_servers - name: Deploy NTP configuration template: src: "ntp.conf.j2" dest: "/etc/ntp.conf" owner: root group: root mode: 0644 when: ntp_servers notify: - Restart NTP server - name: Explicitly run all handlers include: ../handlers/main.yml when: "handlers | default(False) | bool() == True" tags: - handlers