diff --git a/iptables/tasks/main.yml b/iptables/tasks/main.yml index d9e0ec7..b27f396 100644 --- a/iptables/tasks/main.yml +++ b/iptables/tasks/main.yml @@ -17,12 +17,34 @@ - iptables - iptables_rules -- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used +- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 with_items: - rules.v4 - rules.v6 - when: ( is_precise ) or ( is_trusty ) or ( is_debian7 ) + when: is_precise + notify: Start the iptables service + tags: + - iptables + - iptables_rules + +- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_trusty + notify: Start the iptables service + tags: + - iptables + - iptables_rules + +- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_debian7 notify: Start the iptables service tags: - iptables diff --git a/memcached/defaults/main.yml b/memcached/defaults/main.yml index 17005fa..63037a3 100644 --- a/memcached/defaults/main.yml +++ b/memcached/defaults/main.yml @@ -7,4 +7,4 @@ mc_user: memcached mc_maxconn: 1024 mc_cachesize: 256 mc_options: "" -mc_ipaddress: 127.0.0.1 \ No newline at end of file +mc_ipaddress: 127.0.0.1 diff --git a/oracle-jdk/tasks/main.yml b/oracle-jdk/tasks/main.yml index 2ddc964..d72bc73 100644 --- a/oracle-jdk/tasks/main.yml +++ b/oracle-jdk/tasks/main.yml @@ -1,6 +1,13 @@ --- -- name: setup the Oracle JDK repository - apt_repository: repo='ppa:webupd8team/java' +- name: setup the Oracle JDK repository on ubuntu + apt_repository: repo='ppa:webupd8team/java' state=present + when: is_ubuntu + register: update_apt_cache + tags: jdk + +- name: setup the Oracle JDK repository on debian + apt_repository: repo='deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main' state=present + when: is_debian register: update_apt_cache tags: jdk diff --git a/php-fpm/defaults/main.yml b/php-fpm/defaults/main.yml index 0404843..cb9f915 100644 --- a/php-fpm/defaults/main.yml +++ b/php-fpm/defaults/main.yml @@ -54,7 +54,14 @@ phpfpm_default_slowlog_timeout: "20s" phpfpm_default_rlimit_files: "1024" phpfpm_default_extensions: ".php" phpfpm_default_context: '/' -phpfpm_session_prefix: '/var/lib/php5' +phpfpm_default_session_handler: 'files' +phpfpm_default_session_prefix: '/var/lib/php5' +phpfpm_session_prefix: '{{ phpfpm_default_session_prefix }}' + +phpfpm_use_memcache_redundancy_sessions: False +phpfpm_use_memcached_redundancy_sessions: False +memcache_session_allow_failover: 1 +memcache_session_redundancy: 3 phpfpm_pools: - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}' } diff --git a/php-fpm/tasks/main.yml b/php-fpm/tasks/main.yml index 71f7e19..59e75e7 100644 --- a/php-fpm/tasks/main.yml +++ b/php-fpm/tasks/main.yml @@ -14,6 +14,22 @@ - php - php_ini +- name: Activate the memcache redundancy if we use it + ini_file: dest={{ phpfpm_base_dir }}/php.ini section=memcache option=memcache.allow_failover value={{ memcache_session_allow_failover }} + when: phpfpm_use_memcache_redundancy_sessions + notify: Reload php-fpm + tags: + - php + - php_ini + +- name: Set the memcache redundancy servers + ini_file: dest={{ phpfpm_base_dir }}/php.ini section=memcache option=memcache.session_redundancy value={{ memcache_session_redundancy }} + when: phpfpm_use_memcache_redundancy_sessions + notify: Reload php-fpm + tags: + - php + - php_ini + - name: remove php-fpm default pool file: dest={{ phpfpm_base_dir }}/pool.d/www.conf state=absent when: phpfpm_remove_default_pool diff --git a/php-fpm/templates/php-fpm-pool.conf.j2 b/php-fpm/templates/php-fpm-pool.conf.j2 index d684743..2b939ac 100644 --- a/php-fpm/templates/php-fpm-pool.conf.j2 +++ b/php-fpm/templates/php-fpm-pool.conf.j2 @@ -288,6 +288,17 @@ php_admin_flag[log_errors] = {{ item.log_errors }} php_admin_value[memory_limit] = {{ item.memory_limit }} ; Set session path to a directory owned by process user -php_value[session.save_handler] = files -php_value[session.save_path] = {{ phpfpm_session_prefix }}/{{ item.pool_name }} - +{% if item.session_save_handler is defined %} +php_value[session.save_handler] = '{{ item.session_save_handler }}' +{% else %} +php_value[session.save_handler] = '{{ phpfpm_default_session_handler }}' +{% endif %} +{% if item.session_save_path is defined %} +php_value[session.save_path] = '{{ item.session_save_path }}' +{% else %} +{% if phpfpm_session_save_path is defined %} +php_value[session.save_path] = '{{ phpfpm_session_save_path }}' +{% else %} +php_value[session.save_path] = '{{ phpfpm_default_session_prefix }}/{{ item.pool_name }}' +{% endif %} +{% endif %} diff --git a/postfix-relay/defaults/main.yml b/postfix-relay/defaults/main.yml index 3e716ca..9109f66 100644 --- a/postfix-relay/defaults/main.yml +++ b/postfix-relay/defaults/main.yml @@ -5,6 +5,10 @@ postfix_biff: "no" postfix_append_dot_mydomain: "no" postfix_use_relay_host: True +# Accepted values: none, may, encrypt +postfix_smtpd_tls_security_level: encrypt +# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only +postfix_smtp_tls_security_level: encrypt postfix_use_sasl_auth: True postfix_smtp_sasl_auth_enable: "yes" postfix_smtp_create_relay_user: True diff --git a/postfix-relay/tasks/main.yml b/postfix-relay/tasks/main.yml index 609f4e0..fd74297 100644 --- a/postfix-relay/tasks/main.yml +++ b/postfix-relay/tasks/main.yml @@ -1,6 +1,5 @@ --- - include: smtp-common-packages.yml - when: postfix_relay_client - include: smtp-sasl-auth.yml when: - postfix_use_sasl_auth diff --git a/postfix-relay/tasks/postfix-relay-server.yml b/postfix-relay/tasks/postfix-relay-server.yml index fae5c92..e1c5152 100644 --- a/postfix-relay/tasks/postfix-relay-server.yml +++ b/postfix-relay/tasks/postfix-relay-server.yml @@ -1,54 +1,40 @@ --- - name: Write the network hash file template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444 - when: postfix_relay_server notify: Update the network hash table tags: - postfix-relay -- name: Activate the submission port on the postfix master file - template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444 - when: postfix_relay_server - notify: Restart postfix - tags: - - postfix-relay - - name: Install the sasl2 authentication infrastructure apt: pkg={{ item }} state=installed with_items: postfix_sasl_packages - when: postfix_relay_server tags: - postfix-relay - name: Create the sasl directory inside /etc/postfix file: dest=/etc/postfix/sasl state=directory owner=root group=root mode=0555 - when: postfix_relay_server tags: - postfix-relay - name: Install the smtpd.conf file inside inside /etc/postfix/sasl copy: src=sasl_smtpd.conf dest=/etc/postfix/sasl/smtpd.conf owner=root group=root mode=0444 - when: postfix_relay_server tags: - postfix-relay - name: Enable the saslauth daemon action: configfile path=/etc/default/saslauthd key=START value='yes' syntax=shell - when: postfix_relay_server notify: start saslauth daemon tags: - postfix-relay - name: Change the socket path because postfix on debian runs inside a chroot jail action: configfile path=/etc/default/saslauthd key=OPTIONS value='"-c -m /var/spool/postfix/var/run/saslauthd"' syntax=shell - when: postfix_relay_server notify: restart saslauth daemon tags: - postfix-relay - name: Assign the sasl group to the postfix user so that postfix can use the saslauthd socket user: name=postfix groups='sasl' - when: postfix_relay_server notify: Restart postfix tags: - postfix-relay diff --git a/postfix-relay/tasks/smtp-common-packages.yml b/postfix-relay/tasks/smtp-common-packages.yml index 6c1c5fe..6cc4802 100644 --- a/postfix-relay/tasks/smtp-common-packages.yml +++ b/postfix-relay/tasks/smtp-common-packages.yml @@ -13,3 +13,9 @@ tags: - postfix-relay +- name: Activate the submission port on the postfix master file + template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444 + notify: Restart postfix + tags: + - postfix-relay + diff --git a/postfix-relay/templates/main.cf.j2 b/postfix-relay/templates/main.cf.j2 index fbd36c4..da98616 100644 --- a/postfix-relay/templates/main.cf.j2 +++ b/postfix-relay/templates/main.cf.j2 @@ -23,9 +23,9 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_security_level = encrypt smtpd_tls_auth_only = yes {% endif %} -smtpd_use_tls=yes +smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }} # Client -smtp_tls_security_level = encrypt +smtp_tls_security_level = {{ postfix_smtp_tls_security_level }} smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for diff --git a/postfix-relay/templates/postfix-master.cf.j2 b/postfix-relay/templates/postfix-master.cf.j2 index 4b68d62..fb0453f 100644 --- a/postfix-relay/templates/postfix-master.cf.j2 +++ b/postfix-relay/templates/postfix-master.cf.j2 @@ -16,7 +16,7 @@ smtp inet n - - - - smtpd #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission - -o smtpd_tls_security_level=encrypt + -o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }} -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index 8789515..986f2f5 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -3,7 +3,6 @@ # Use the apt proxy # use_apt_proxy: False -apt_proxy_url: "http://apt.research-infrastructures.eu:9999" pkg_state: installed common_packages: @@ -97,24 +96,24 @@ additional_ca_dest_dir: /usr/local/share/ca-certificates # # debian/ubuntu distributions controllers # -has_default_grub: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6" +has_default_grub: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6" has_htop: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 10.10 or {{ ansible_distribution_version }} == 11.04 or {{ ansible_distribution_version }} == 12.04)" -has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_lsb['major_release'] }}' >= 5" +has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_distribution_major_version }}' >= 5" -has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_lsb['major_release'] }} >= 8))" +has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_distribution_major_version }} >= 8))" is_debian: "'{{ ansible_distribution }}' == 'Debian'" is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'" is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'" -is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)" -is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 5" -is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 4" -is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} != 6" +is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} == 6)" +is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} == 5" +is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} == 4" +is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} != 6" is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} <= 7" is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} < 6" -is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6)" +is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6)" is_hardy: "'{{ ansible_distribution_release }}' == 'hardy'" is_broken_hardy_lts: "'{{ ansible_distribution }}'== 'Debian' and '{{ ansible_distribution_release }}' == 'NA'" @@ -126,19 +125,19 @@ is_trusty: "'{{ ansible_distribution_release }}' == 'trusty'" is_ubuntu: "'{{ ansible_distribution }}' == 'Ubuntu'" is_not_precise: "('{{ ansible_distribution }}' == 'Ubuntu' and {{ ansible_distribution_version }} != 12.04) or '{{ ansible_distribution }}' == 'Debian'" is_not_trusty: "('{{ ansible_distribution }}' == 'Ubuntu' and {{ ansible_distribution_version }} != 14.04) or '{{ ansible_distribution }}' == 'Debian'" -is_not_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} >= 12)" -is_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 12)" -is_ubuntu_less_than_trusty: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 14)" +is_not_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 12)" +is_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 12)" +is_ubuntu_less_than_trusty: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 14)" # Ubuntu < 10.04 or Debian 4 is_ubuntu_between_8_and_9_and_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 8.04 or {{ ansible_distribution_version }} == 8.10 or {{ ansible_distribution_version }} == 9.04)) or ({{ is_debian4 }})" -#is_ubuntu_between_8_and_9_or_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 12) or ({{ is_debian4 }})" +#is_ubuntu_between_8_and_9_or_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 12) or ({{ is_debian4 }})" is_ubuntu_between_8_and_9_or_is_debian_4: "'{{ is_ubuntu_between_8_and_9_and_is_debian_4 }}'" # Ubuntu between 10.04 and 11.04 is_ubuntu_between_10_04_and_11_04: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 10.04 or {{ ansible_distribution_version }} == 10.10 or {{ ansible_distribution_version }} == 11.04)" # Ubuntu between 10.04 and 11.04, or Debian 6 is_ubuntu_between_10_04_and_11_04_and_is_debian_6: "({{ is_ubuntu_between_10_04_and_11_04 }} or {{ is_debian6 }})" # Debian >=6 -is_debian_greater_than_5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6" +is_debian_greater_than_5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6" is_trusty_or_debian7: "('{{ ansible_distribution_release }}' == 'trusty') or ('{{ ansible_distribution_release }}' == 'wheezy')" diff --git a/users/defaults/main.yml b/users/defaults/main.yml index 1b25e04..369612e 100644 --- a/users/defaults/main.yml +++ b/users/defaults/main.yml @@ -10,5 +10,5 @@ users_sudoers_create_group: False users_sudoers_create_sudo_conf: False users_home_dir: /home #users_system_users: -# - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'False', log_as_root: 'False' } +# - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False } diff --git a/users/tasks/main.yml b/users/tasks/main.yml index c5a2de8..f73f833 100644 --- a/users/tasks/main.yml +++ b/users/tasks/main.yml @@ -29,11 +29,11 @@ - users - name: Add the admin users to the sudoers group - user: name={{ item.login }} groups={{ users_sudoers_group }} + user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes with_items: users_system_users when: - users_system_users is defined - - item.admin == 'True' + - item.admin tags: - users @@ -43,7 +43,7 @@ when: - users_system_users is defined - item.ssh_key is defined - - ( item.log_as_root is defined ) and ( item.log_as_root == 'True' ) + - ( item.log_as_root is defined ) and ( item.log_as_root ) tags: - users