From cd4ce10bcac9825f04e28040299ff4f6e3d26b2a Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 28 Jul 2015 19:27:25 +0200 Subject: [PATCH] library/roles/ubuntu-deb-general: Various fixes --- fail2ban/tasks/main.yml | 6 +++--- ubuntu-deb-general/defaults/main.yml | 10 ++++++++++ ubuntu-deb-general/tasks/denyhost.yml | 12 ----------- .../tasks/install_external_ca_cert.yml | 7 ++++--- ubuntu-deb-general/tasks/main.yml | 5 ++--- ubuntu-deb-general/tasks/ntp.yml | 9 +++++++++ ubuntu-deb-general/tasks/packages.yml | 20 ++++++------------- 7 files changed, 34 insertions(+), 35 deletions(-) create mode 100644 ubuntu-deb-general/tasks/ntp.yml diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 57488351..4cf02202 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -1,5 +1,5 @@ --- - include: fail2ban.yml - when: ( is_trusty ) or ( is_debian8 ) - - + when: + - is_trusty + - is_debian8 diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index ad574eec..5ebb13bc 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -5,6 +5,7 @@ use_apt_proxy: False apt_proxy_url: "http://apt.research-infrastructures.eu:9999" +pkg_state: installed common_packages: - acl - zile @@ -25,6 +26,11 @@ common_packages: - bash-completion - sudo +# Set this variable in your playbook +# additional_packages: +# - pkg1 +# - pkg2 + # Unattended upgrades unatt_allowed_origins: - '${distro_id}:${distro_codename}-security' @@ -82,6 +88,10 @@ configure_munin: False # Manage the root ssh keys manage_root_ssh_keys: False +install_external_ca_files: True +external_ca_dest_dir: /etc/ssl/certs +external_ca_list: + - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ external_ca_dest_dir }}/infn-ca.pem' } # # debian/ubuntu distributions controllers # diff --git a/ubuntu-deb-general/tasks/denyhost.yml b/ubuntu-deb-general/tasks/denyhost.yml index 8c834d45..d3a92105 100644 --- a/ubuntu-deb-general/tasks/denyhost.yml +++ b/ubuntu-deb-general/tasks/denyhost.yml @@ -3,33 +3,21 @@ apt: pkg={{ item }} state=installed with_items: - denyhosts - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty tags: denyhosts - name: ensure CM can access the VMs action: | lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.18$" line="sshd: 146.48.123.18" - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty tags: denyhosts - name: ensure Monitoring can connect via ssh action: | lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.23$" line="sshd: 146.48.123.23" - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty tags: denyhosts - name: Set the treshold for root on the denyhosts config file lineinfile: | name=/etc/denyhosts.conf regexp="^DENY_THRESHOLD_ROOT = " line="DENY_THRESHOLD_ROOT = 5" - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty notify: Restart denyhosts tags: denyhosts diff --git a/ubuntu-deb-general/tasks/install_external_ca_cert.yml b/ubuntu-deb-general/tasks/install_external_ca_cert.yml index b74e0354..c90d7752 100644 --- a/ubuntu-deb-general/tasks/install_external_ca_cert.yml +++ b/ubuntu-deb-general/tasks/install_external_ca_cert.yml @@ -1,6 +1,7 @@ --- - name: Install the INFN CA certificate - get_url: url=https://security.fi.infn.it/CA/mgt/INFNCA.pem dest=/etc/ssl/certs/infn-ca.pem - tags: - - ca + get_url: url={{ item.url }} dest={{ item.dest_file }} + with_items: external_ca_list + when: install_external_ca_files + tags: ca diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml index 2ba84e34..36bdd54a 100644 --- a/ubuntu-deb-general/tasks/main.yml +++ b/ubuntu-deb-general/tasks/main.yml @@ -3,15 +3,14 @@ - include: resolvconf.yml when: install_resolvconf - include: packages.yml +- include: ntp.yml - include: remove-unneeded-pkgs.yml - include: manage-ipv6-status.yml when: is_not_debian_less_than_6 - include: disable-ipv6-old-servers.yml when: disable_ipv6 - include: denyhost.yml - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty + when: is_debian_7_or_older or is_ubuntu_less_than_trusty - include: munin.yml when: configure_munin - include: pubkeys.yml diff --git a/ubuntu-deb-general/tasks/ntp.yml b/ubuntu-deb-general/tasks/ntp.yml new file mode 100644 index 00000000..46a6692c --- /dev/null +++ b/ubuntu-deb-general/tasks/ntp.yml @@ -0,0 +1,9 @@ +--- +- name: Install the ntp server + apt: pkg=ntp state={{ pkg_state }} + tags: [ 'packages', 'ntp' ] + +- name: Ensure that the ntp server is running + service: name=ntp state=started enabled=yes + tags: [ 'packages', 'ntp' ] + diff --git a/ubuntu-deb-general/tasks/packages.yml b/ubuntu-deb-general/tasks/packages.yml index 52ff5ae5..2b8241a4 100644 --- a/ubuntu-deb-general/tasks/packages.yml +++ b/ubuntu-deb-general/tasks/packages.yml @@ -69,24 +69,16 @@ apt: update_cache=yes when: update_apt_cache.changed ignore_errors: True - tags: - - packages + tags: packages - name: install common packages - apt: pkg={{ item }} state=installed + apt: pkg={{ item }} state={{ pkg_state }} when: has_apt with_items: common_packages tags: [ 'packages', 'common_pkgs' ] -- name: Install the ntp server - apt: pkg=ntp state=installed - tags: - - packages - - ntp - -- name: Ensure that the ntp server is running - service: name=ntp state=started - tags: - - packages - - ntp +- name: Install additional packages, if any + apt: pkg={{ item }} state={{ pkg_state }} + with_items: additional_packages + tags: [ 'packages', 'common_pkgs' ]