diff --git a/d4s_user_services_perms/README.md b/d4s_user_services_perms/README.md index 7bf646d2..17649040 100644 --- a/d4s_user_services_perms/README.md +++ b/d4s_user_services_perms/README.md @@ -1,3 +1,12 @@ This role assumes that only one tomcat instance is defined and running on the system. Important note: the variable 'http_port' needs to be defined earlier in the calling playbook. + +What the role does: + +- Install the sudoers config that permits the tomcat user to restart +the service +- Install the script that allows the tomcat user to start and stop the +service without using the full path +- Install the README file that explains where the options files are +placed and how start/stop the service diff --git a/d4s_user_services_perms/defaults/main.yml b/d4s_user_services_perms/defaults/main.yml index aa65e71a..59d4a1b7 100644 --- a/d4s_user_services_perms/defaults/main.yml +++ b/d4s_user_services_perms/defaults/main.yml @@ -1,3 +1,7 @@ --- d4science_user: gcube d4science_user_home: '/home/{{ d4science_user }}' + +d4science_tomcat_options_files: + - '/etc/default/tomcat-instance-{{ item.0.http_port }}' + - '/etc/default/tomcat-instance-{{ item.0.http_port }}.local' diff --git a/d4s_user_services_perms/tasks/main.yml b/d4s_user_services_perms/tasks/main.yml index 687eae1f..7505dc46 100644 --- a/d4s_user_services_perms/tasks/main.yml +++ b/d4s_user_services_perms/tasks/main.yml @@ -9,3 +9,29 @@ - '{{ tomcat_m_instances }}' - [ 'startContainer.sh', 'stopContainer.sh' ] tags: [ 'tomcat', 'd4science', 'sudo' ] + +- name: Install the README file that explains where the options files are placed and how start/stop the service + template: src={{ item.1 }}.j2 dest={{ item.0.user_home }}/{{ item.1 }} owner={{ item.0.user }} group={{ item.0.user }} mode=0444 + with_nested: + - '{{ tomcat_m_instances }}' + - [ 'README' ] + tags: [ 'tomcat', 'd4science', 'd4s_readme' ] + +# - name: Set the read/write permissions on the tomcat default options files +# acl: name={{ item.1 }} entity={{ item.0.user }} etype=user permissions=rw state=present +# with_nested: +# - '{{ tomcat_m_instances }}' +# - '{{ d4science_tomcat_options_files }}' +# tags: [ 'tomcat', 'd4science', 'acl' ] + +- name: Set the read/write permissions on the tomcat default options files + acl: name=/etc/default/tomcat-instance-{{ item.http_port }} entity={{ item.user }} etype=user permissions=rw state=present + with_items: tomcat_m_instances + tags: [ 'tomcat', 'd4science', 'acl' ] + +- name: Set the read/write permissions on the tomcat default local options files + acl: name=/etc/default/tomcat-instance-{{ item.http_port }}.local entity={{ item.user }} etype=user permissions=rw state=present + with_items: tomcat_m_instances + tags: [ 'tomcat', 'd4science', 'acl' ] + + diff --git a/d4s_user_services_perms/templates/README.j2 b/d4s_user_services_perms/templates/README.j2 new file mode 100644 index 00000000..52448f5b --- /dev/null +++ b/d4s_user_services_perms/templates/README.j2 @@ -0,0 +1,8 @@ +The java options are set inside /etc/default/tomcat-instance-{{ item.0.http_port }} +The GHN environment variables are set inside /etc/default/tomcat-instance-{{ item.0.http_port }}.local + +The commands that start and stop the containers are: +/home/gcube/startContainer.sh +/home/gcube/stopContainer.sh + +The log files live inside /home/gcube/tomcat/logs (it's a symbolic link to {{ tomcat_m_instances_logdir_base }}/{{ item.0.http_port }}) diff --git a/dnet_user_services_perms/README.md b/dnet_user_services_perms/README.md index 7c16a155..8cd98a17 100644 --- a/dnet_user_services_perms/README.md +++ b/dnet_user_services_perms/README.md @@ -1,3 +1,3 @@ This role sets acls that permit unprivileged users to: - write inside a list of directories -- restart the tomcat instances +- restart the tomcat instances (default). Or manage other services. diff --git a/dnet_user_services_perms/defaults/main.yml b/dnet_user_services_perms/defaults/main.yml index c5769562..48288740 100644 --- a/dnet_user_services_perms/defaults/main.yml +++ b/dnet_user_services_perms/defaults/main.yml @@ -1,6 +1,8 @@ --- +dnet_standard_installation: True dnet_user: tomcat7 dnet_group: dnet +dnet_sudoers_group: dnetsu dnet_data_directories: - /var/lib/dnet @@ -8,3 +10,14 @@ dnet_data_directories: dnet_log_directories: - /var/log/dnet - /var/log/dnet/search + +# Define the following if you want some directories readable and writable by the dnet group but outside the dnet app data dirs +#dnet_users_data_directories: +# - { name: '/data/1', create: True } +# - { name: '/data/2', create: False, file: False } +# - { name: '/data/bah', create: False, file: True } + +# Define the following array when you want to add commands to the sudoers file +#dnet_sudo_commands: +# - /etc/init.d/virtuoso-opensource-7 +# - /sbin/reboot diff --git a/dnet_user_services_perms/tasks/dnet-additional-packages.yml b/dnet_user_services_perms/tasks/dnet-additional-packages.yml new file mode 100644 index 00000000..980005e4 --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-additional-packages.yml @@ -0,0 +1,13 @@ +--- +- name: Install additional packages, if needed + apt: pkg={{ item }} state=installed + with_items: dnet_additional_packages + when: dnet_additional_packages is defined + tags: ['dnet', 'pkgs'] + +- name: Install additional python modules, if needed + pip: name={{ item }} state=present + with_items: dnet_additional_python_modules + when: dnet_additional_python_modules is defined + tags: ['dnet', 'pkgs'] + diff --git a/dnet_user_services_perms/tasks/dnet-data-dirs.yml b/dnet_user_services_perms/tasks/dnet-data-dirs.yml new file mode 100644 index 00000000..b896164a --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-data-dirs.yml @@ -0,0 +1,30 @@ +--- +- name: Create the dnet data dirs + file: name={{ item }} state=directory owner={{ dnet_user }} group={{ dnet_group }} mode=0750 + with_items: dnet_data_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Create the dnet log dirs + file: name={{ item }} state=directory owner={{ tomcat_user }} group={{ dnet_group }} mode=0750 + with_items: dnet_log_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the read/write permissions on the dnet data dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present + with_items: dnet_data_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read/write permissions on the dnet data dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + with_items: dnet_data_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the read permissions on the dnet log dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present + with_items: dnet_log_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read permissions on the dnet log dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes + with_items: dnet_log_directories + tags: [ 'tomcat', 'dnet', 'users' ] diff --git a/dnet_user_services_perms/tasks/dnet-groups.yml b/dnet_user_services_perms/tasks/dnet-groups.yml new file mode 100644 index 00000000..d04599e3 --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-groups.yml @@ -0,0 +1,25 @@ +--- +- name: Add the dnet groups, if it does not exist already + group: name={{ item }} state=present + with_items: + - '{{ dnet_group }}' + - '{{ dnet_sudoers_group }}' + tags: [ 'dnet', 'users' ] + +- name: Add all the users to the dnet group + user: name={{ item.login }} groups={{ dnet_group }}, append=yes + with_items: users_system_users + tags: [ 'dnet', 'users' ] + +- name: Add selected users to the dnet sudoers group + user: name={{ item.login }} groups={{ dnet_sudoers_group }}, append=yes + with_items: users_system_users + when: item.dnet_sudoers_user + tags: [ 'dnet', 'users' ] + +- name: Remove selected users to the dnet sudoers group + user: name={{ item.login }} groups={{ dnet_group }} + with_items: users_system_users + when: not item.dnet_sudoers_user + tags: [ 'dnet', 'users' ] + diff --git a/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml b/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml new file mode 100644 index 00000000..e0b1a3e7 --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml @@ -0,0 +1,68 @@ +--- + +# +# Acls for the single tomcat instance +# +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read permissions on the tomcat log directory. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_logdir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read permissions on the tomcat log directory. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_logdir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +# +# Same steps, but when we are using multiple tomcat instances +# +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances + acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present + when: tomcat_m_instances is defined + with_nested: + - '{{ tomcat_m_instances }}' + - [ 'webapps', 'common', 'common/classes' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances + acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + when: tomcat_m_instances is defined + with_nested: + - '{{ tomcat_m_instances }}' + - [ 'webapps', 'common', 'common/classes' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read permissions on the tomcat log directory. multiple tomcat instances + acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present + when: tomcat_m_instances is defined + with_items: tomcat_m_instances + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read permissions on the tomcat log directory. multiple tomcat instances + acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes + when: tomcat_m_instances is defined + with_items: tomcat_m_instances + tags: [ 'tomcat', 'dnet', 'users' ] + diff --git a/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml b/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml new file mode 100644 index 00000000..ea97b2e8 --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml @@ -0,0 +1,25 @@ +--- +- name: Create the users dnet data dirs + file: name={{ item.name }} state=directory owner=root group={{ dnet_group }} mode=0750 + with_items: dnet_users_data_directories + when: item.create and not item.file + tags: [ 'dnet', 'users' ] + +- name: Set the read/write/access permissions on the users dnet data dirs + acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions=rwx state=present + with_items: dnet_users_data_directories + when: not item.file + tags: [ 'dnet', 'users' ] + +- name: Set the default read/write/access permissions on the users dnet data dirs + acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + with_items: dnet_users_data_directories + when: not item.file + tags: [ 'dnet', 'users' ] + +- name: Set the read/write permissions on pre-existing files inside the users dnet data dirs + acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions=rw state=present + with_items: dnet_users_data_directories + when: item.file + tags: [ 'dnet', 'users' ] + diff --git a/dnet_user_services_perms/tasks/main.yml b/dnet_user_services_perms/tasks/main.yml index fad72845..da095841 100644 --- a/dnet_user_services_perms/tasks/main.yml +++ b/dnet_user_services_perms/tasks/main.yml @@ -1,107 +1,10 @@ --- -- name: Add the all the users to the dnet group - user: name={{ item.login }} groups={{ dnet_group }} - with_items: users_system_users - tags: [ 'dnet', 'users' ] - -- name: Install the sudoers config that permits the dnet users to restart tomcat - template: src=dnet-sudoers.j2 dest=/etc/sudoers.d/dnet-group owner=root group=root mode=0440 - tags: [ 'tomcat', 'dnet', 'sudo', 'users' ] - -- name: Create the dnet data dirs - file: name={{ item }} state=directory owner={{ dnet_user }} group={{ dnet_group }} mode=0750 - with_items: dnet_data_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Create the dnet log dirs - file: name={{ item }} state=directory owner={{ tomcat_user }} group={{ dnet_group }} mode=0750 - with_items: dnet_log_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the read/write permissions on the dnet data dirs - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present - with_items: dnet_data_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read/write permissions on the dnet data dirs - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes - with_items: dnet_data_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the read permissions on the dnet log dirs - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present - with_items: dnet_log_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read permissions on the dnet log dirs - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes - with_items: dnet_log_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -# -# Acls for the single tomcat instance -# -# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default -- name: Set the read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present - when: tomcat_m_instances is not defined - with_items: - - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes - when: tomcat_m_instances is not defined - with_items: - - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default -- name: Set the read permissions on the tomcat log directory. single tomcat instance - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present - when: tomcat_m_instances is not defined - with_items: - - [ '{{ tomcat_logdir }}' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read permissions on the tomcat log directory. single tomcat instance - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes - when: tomcat_m_instances is not defined - with_items: - - [ '{{ tomcat_logdir }}' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -# -# Same steps, but when we are using multiple tomcat instances -# -# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default -- name: Set the read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances - acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present - when: tomcat_m_instances is defined - with_nested: - - ' {{ tomcat_m_instances }}' - - [ 'webapps', 'common', 'common/classes' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances - acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes - when: tomcat_m_instances is not defined - when: tomcat_m_instances is defined - with_nested: - - ' {{ tomcat_m_instances }}' - - [ 'webapps', 'common', 'common/classes' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default -- name: Set the read permissions on the tomcat log directory. multiple tomcat instances - acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present - when: tomcat_m_instances is defined - with_items: tomcat_m_instances - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read permissions on the tomcat log directory. multiple tomcat instances - acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes - when: tomcat_m_instances is defined - with_items: tomcat_m_instances - tags: [ 'tomcat', 'dnet', 'users' ] - +- include: dnet-groups.yml +- include: sudo-config.yml +- include: dnet-data-dirs.yml + when: dnet_standard_installation +- include: dnet-users-data-dirs.yml + when: dnet_users_data_directories is defined +- include: dnet-additional-packages.yml +- include: dnet-tomcat-acls.yml + when: dnet_standard_installation diff --git a/dnet_user_services_perms/tasks/sudo-config.yml b/dnet_user_services_perms/tasks/sudo-config.yml new file mode 100644 index 00000000..efcb2c75 --- /dev/null +++ b/dnet_user_services_perms/tasks/sudo-config.yml @@ -0,0 +1,5 @@ +--- +- name: Install the sudoers config that permits the dnet users to execute some privileged commands + template: src=dnet-sudoers.j2 dest=/etc/sudoers.d/dnet-group owner=root group=root mode=0440 + tags: [ 'tomcat', 'dnet', 'sudo', 'users' ] + diff --git a/dnet_user_services_perms/templates/dnet-sudoers.j2 b/dnet_user_services_perms/templates/dnet-sudoers.j2 index d37971d0..34bd9498 100644 --- a/dnet_user_services_perms/templates/dnet-sudoers.j2 +++ b/dnet_user_services_perms/templates/dnet-sudoers.j2 @@ -1,3 +1,3 @@ -%{{ dnet_group }} ALL=(ALL) NOPASSWD: /etc/init.d/tomcat7, /etc/init.d/tomcat-instance-* +%{{ dnet_sudoers_group }} ALL=(ALL) NOPASSWD: {% if tomcat_m_instances is defined %}/etc/init.d/tomcat7, /etc/init.d/tomcat-instance-*{% endif %}{% if dnet_sudo_commands is defined %}{% for cmd in dnet_sudo_commands %}{{ cmd }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 655a7fe0..b5e01294 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -2,16 +2,14 @@ # Fail2ban # Needed by the fail2ban template -cm_ip: 146.48.123.18 -monitoring_ip: 146.48.123.23 # ban time in seconds. 86400 == 1 day f2b_ban_time: 86400 f2b_findtime: 600 f2b_maxretry: 5 f2b_default_backend: auto f2b_usedns: warn -f2b_dest_email: sysadmin@research-infrastructures.eu -f2b_sender_email: denyhosts@research-infrastructures.eu +f2b_dest_email: 'sysadmin@{{ domain_name }}' +f2b_sender_email: 'denyhosts@{{ domain_name }}' f2b_default_banaction: iptables-multiport # Default action: ban. Not send email f2b_default_action: action_ diff --git a/fail2ban/handlers/main.yml b/fail2ban/handlers/main.yml index cdd2d5e8..5423011a 100644 --- a/fail2ban/handlers/main.yml +++ b/fail2ban/handlers/main.yml @@ -1,4 +1,6 @@ --- - name: Restart fail2ban service: name=fail2ban state=restarted enabled=yes + when: has_fail2ban + diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 57488351..33aa9aeb 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -1,5 +1,3 @@ --- - include: fail2ban.yml - when: ( is_trusty ) or ( is_debian8 ) - - + when: has_fail2ban diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 6cf14ac0..65c9e4f8 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -18,7 +18,7 @@ # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. -ignoreip = 127.0.0.1/8 {{ cm_ip }} {{ monitoring_ip }} +ignoreip = 127.0.0.1/8 {% if cm_ip is defined %}{{ cm_ip }}{% endif %} {% if monitoring_ip is defined %}{{ monitoring_ip }}{% endif %} # "bantime" is the number of seconds that a host is banned. bantime = {{ f2b_ban_time }} diff --git a/ganglia/tasks/main.yml b/ganglia/tasks/main.yml index b4873dd7..d1976cdb 100644 --- a/ganglia/tasks/main.yml +++ b/ganglia/tasks/main.yml @@ -12,18 +12,16 @@ with_items: - ganglia-modules-linux - ganglia-monitor-python - notify: - Restart ganglia monitor - when: is_trusty_or_debian7 + notify: Restart ganglia monitor + when: ( is_trusty_or_debian7 ) or ( is_debian8 ) tags: - monitoring - ganglia - name: Distribute the ganglia configuration file for Ubuntu >= 12.04 template: src=gmond.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444 - when: is_not_ubuntu_less_than_precise - notify: - Restart ganglia monitor + when: ( is_not_ubuntu_less_than_precise ) or ( is_debian8 ) + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -31,8 +29,7 @@ - name: Distribute the ganglia configuration file for Debian 7 template: src=gmond.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444 when: is_debian7 - notify: - Restart ganglia monitor + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -40,8 +37,7 @@ - name: Distribute the ganglia configuration file for Ubuntu < 12.04 and >= 10.04 and Debian 6 template: src=gmond-3.1.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444 when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 - notify: - Restart ganglia monitor + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -50,8 +46,7 @@ template: src=gmond-2.5.j2 dest=/etc/gmond.conf owner=root group=root mode=444 when: - is_ubuntu_between_8_and_9_and_is_debian_4 - notify: - Restart ganglia monitor + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -60,8 +55,7 @@ template: src=gmond-2.5.j2 dest=/etc/gmond.conf owner=root group=root mode=444 when: - is_broken_hardy_lts - notify: - Restart ganglia monitor + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -82,8 +76,7 @@ - name: Setup the ganglia configuration for python modules copy: src=modpython.conf dest=/etc/ganglia/conf.d/modpython.conf owner=root group=root mode=0644 - notify: - - Restart ganglia monitor + notify: Restart ganglia monitor when: is_precise tags: - monitoring diff --git a/iptables/handlers/main.yml b/iptables/handlers/main.yml index 44293ea7..72895169 100644 --- a/iptables/handlers/main.yml +++ b/iptables/handlers/main.yml @@ -22,5 +22,5 @@ - name: Restart fail2ban service: name=fail2ban state=restarted enabled=yes - when: is_trusty + when: has_fail2ban diff --git a/ldap-client-config/defaults/main.yml b/ldap-client-config/defaults/main.yml index 048eaa20..8ed59077 100644 --- a/ldap-client-config/defaults/main.yml +++ b/ldap-client-config/defaults/main.yml @@ -1,4 +1,4 @@ --- -nemis_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu" -nemis_ldap_base_dn: "dc=research-infrastructures,dc=eu" - +ldap_uri: "ldap://ldap.sub.research-infrastructures.eu" +ldap_base_dn: "dc=research-infrastructures,dc=eu" +ldap_tls_cacert: /etc/ssl/certs/ca-certificates.crt diff --git a/ldap-client-config/tasks/main.yml b/ldap-client-config/tasks/main.yml index 7f5d78bf..c4b4e76e 100644 --- a/ldap-client-config/tasks/main.yml +++ b/ldap-client-config/tasks/main.yml @@ -4,36 +4,30 @@ with_items: - ldapscripts - libpam-ldap - tags: - - ldap-client + tags: ldap-client - name: Write the ldap client configuration file - template: src=ldap.conf.j2 dest=/etc/ldap.conf mode=444 owner=root group=root + template: src=ldap.conf-old.j2 dest=/etc/ldap.conf mode=444 owner=root group=root when: is_ubuntu_less_than_trusty - tags: - - ldap-client + tags: ldap-client - name: Write the ldap client configuration file template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root when: is_trusty - tags: - - ldap-client + tags: ldap-client - name: set the ldapscripts.conf uri - action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ nemis_ldap_uri }}' syntax=shell + action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ ldap_uri }}' syntax=shell when: is_trusty - tags: - - ldap-client + tags: ldap-client - name: set the ldapscripts.conf bind dn - action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ nemis_ldap_base_dn }}' syntax=shell + action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ ldap_base_dn }}' syntax=shell when: is_trusty - tags: - - ldap-client + tags: ldap-client - name: set the ldapscripts.conf dn suffix - action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ nemis_ldap_base_dn }}' syntax=shell + action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ ldap_base_dn }}' syntax=shell when: is_trusty - tags: - - ldap-client + tags: ldap-client diff --git a/ldap-client-config/templates/ldap.conf-old.j2 b/ldap-client-config/templates/ldap.conf-old.j2 new file mode 100644 index 00000000..38754476 --- /dev/null +++ b/ldap-client-config/templates/ldap.conf-old.j2 @@ -0,0 +1,11 @@ +# The distinguished name of the search base. +BASE {{ ldap_base_dn }} + +# Another way to specify your LDAP server is to provide an +URI {{ ldap_uri }} + +# The LDAP version to use (defaults to 3 +# if supported by client library) +ldap_version 3 + +nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data diff --git a/ldap-client-config/templates/ldap.conf.j2 b/ldap-client-config/templates/ldap.conf.j2 index 7a81eae4..ae1526d6 100644 --- a/ldap-client-config/templates/ldap.conf.j2 +++ b/ldap-client-config/templates/ldap.conf.j2 @@ -1,11 +1,14 @@ # The distinguished name of the search base. -BASE {{ nemis_ldap_base_dn }} +BASE {{ ldap_base_dn }} # Another way to specify your LDAP server is to provide an -URI {{ nemis_ldap_uri }} +URI {{ ldap_uri }} # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data + +# TLS certificates (needed for GnuTLS) +TLS_CACERT {{ ldap_tls_cacert }} diff --git a/mediawiki/defaults/main.yml b/mediawiki/defaults/main.yml index 26dc76c3..47b87079 100644 --- a/mediawiki/defaults/main.yml +++ b/mediawiki/defaults/main.yml @@ -16,6 +16,7 @@ mw_php_prereq: - php5-mysqlnd - php-apc - php-pear + - php5-ldap - imagemagick # This choice is not recommended. The package has a poor list of dependencies. We do not want to deal with those diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index 21a3e9e6..cdea08a8 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -43,4 +43,5 @@ mysql_backup_logdir: '{{ mysql_log_dir }}' mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log' mysql_backup_retain_copies: 15 mysql_backup_destdir: /var/lib/mysql-backup +mysql_backup_exclude_list: "performance_schema" diff --git a/mysql/files/mysql-backup.sh b/mysql/files/mysql-backup.sh index e08cbb74..463bebad 100644 --- a/mysql/files/mysql-backup.sh +++ b/mysql/files/mysql-backup.sh @@ -6,6 +6,8 @@ MY_BACKUP_USE_NAGIOS="False" MY_BACKUP_DIR=/var/lib/mysql-backup MY_DATA_DIR=/var/lib/mysql N_DAYS_TO_SPARE=7 +# Exclude list +EXCLUDE_LIST='performance_schema' if [ -f /etc/default/mysql_backup ] ; then . /etc/default/mysql_backup @@ -33,33 +35,28 @@ fi chmod 700 $MY_BACKUP_DIR LOCKFILE=$MY_DATA_DIR/.mysqldump.lock NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status -# Exclude list -EXCLUDE_LIST='performance_schema' if [ ! -f $LOCKFILE ] ; then touch $LOCKFILE if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then > $NAGIOS_LOG fi - for db in $( /bin/ls -1 /var/lib/mysql/ | grep -v $EXCLUDE_LIST ) ; do - if [ -d /var/lib/mysql/$db ] ; then - #mysqldump -uroot -f --opt -p$MYSQLPASS $db > $MY_BACKUP_DIR/$db.sql 2> $MY_BACKUP_DIR/log/$db.log - mysqldump -f --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log - DUMP_RESULT=$? - chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} - if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then - if [ $DUMP_RESULT -ne 0 ] ; then - echo "$db:FAILED" >> $NAGIOS_LOG - RETVAL=$DUMP_RESULT - else - echo "$db:OK" >> $NAGIOS_LOG - fi - fi - pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1 - rm -f $db.sql - ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql - popd >/dev/null 2>&1 - fi + for db in $( mysql -Bse "show databases;" | grep -v $EXCLUDE_LIST ) ; do + mysqldump -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log + DUMP_RESULT=$? + chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} + if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then + if [ $DUMP_RESULT -ne 0 ] ; then + echo "$db:FAILED" >> $NAGIOS_LOG + RETVAL=$DUMP_RESULT + else + echo "$db:OK" >> $NAGIOS_LOG + fi + fi + pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1 + rm -f $db.sql + ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql + popd >/dev/null 2>&1 done # Do a "flush-hosts" after the backup mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log diff --git a/mysql/tasks/manage_my_db.yml b/mysql/tasks/manage_my_db.yml index f70bcab3..dfbd6e4a 100644 --- a/mysql/tasks/manage_my_db.yml +++ b/mysql/tasks/manage_my_db.yml @@ -5,9 +5,7 @@ when: - mysql_db_data is defined - item.name is defined - tags: - - mysql - - mysql_db + tags: [ 'mysql', 'mysql_db' ] - name: Add a user for the databases mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv={{ item.0.name }}.*:"{{ item.0.user_grant }}" state=present @@ -17,7 +15,4 @@ when: - mysql_db_data is defined - item.0.name is defined - tags: - - mysql - - mysql_db - + tags: [ 'mysql', 'mysql_db' ] diff --git a/mysql/templates/mysql_backup-default.j2 b/mysql/templates/mysql_backup-default.j2 index 3eccc710..b189f3d6 100644 --- a/mysql/templates/mysql_backup-default.j2 +++ b/mysql/templates/mysql_backup-default.j2 @@ -4,3 +4,5 @@ MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}' N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}' MY_BACKUP_DIR='{{ mysql_backup_destdir }}' MY_DATA_DIR='{{ mysql_data_dir }}' +# Exclude list +EXCLUDE_LIST='{{ mysql_backup_exclude_list }}' diff --git a/nagios/defaults/main.yml b/nagios/defaults/main.yml index c7307d5e..9a7ec645 100644 --- a/nagios/defaults/main.yml +++ b/nagios/defaults/main.yml @@ -61,8 +61,11 @@ nagios_dell_omsa_pkgs: - srvadmin-base - srvadmin-idrac - srvadmin-storageservices + - srvadmin-omcommon # We need a more recent version of the check_openmanage executable nagios_dell_standalone_checks: - check_dell_warranty.py - check_openmanage + +nagios_openmanage_additional_opts: '' diff --git a/nagios/tasks/dell-omsa.yml b/nagios/tasks/dell-omsa.yml index 594d32e8..8dddf23f 100644 --- a/nagios/tasks/dell-omsa.yml +++ b/nagios/tasks/dell-omsa.yml @@ -7,14 +7,28 @@ register: update_apt_cache tags: [ 'dell', 'nagios' ] +- name: Install the NeMIS internal repository apt key + apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present + tags: [ 'dell', 'nagios' ] + - name: research infrastructures system repository on debian copy: src={{ item }} dest=/etc/apt/sources.list.d/{{ item }} with_items: - research-infrastructures.eu.system.list - when: is_debian6 + when: is_debian register: update_apt_cache tags: [ 'dell', 'nagios' ] +- name: Update apt cache + apt: update_cache=yes + when: ( update_apt_cache | changed ) + tags: [ 'dell', 'nagios' ] + +#- action: apt_key id=1285491434D8786F state=present +- name: Install the Dell OMSA repository apt key + apt_key: keyserver=pool.sks-keyservers.net id=1285491434D8786F + tags: [ 'dell', 'nagios' ] + - name: Install the Dell apt repository template: src={{ item }}.j2 dest=/etc/apt/sources.list.d/{{ item }} with_items: @@ -23,18 +37,9 @@ register: update_apt_cache tags: [ 'dell', 'nagios' ] -- name: Install the NeMIS internal repository apt key - apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present - tags: [ 'dell', 'nagios' ] - -#- action: apt_key id=1285491434D8786F state=present -- name: Install the Dell OMSA repository apt key - apt_key: keyserver=pool.sks-keyservers.net id=1285491434D8786F - tags: [ 'dell', 'nagios' ] - - name: Update apt cache apt: update_cache=yes - when: update_apt_cache.changed + when: ( update_apt_cache | changed ) tags: [ 'dell', 'nagios' ] - name: Install the Dell OMSA packages dependencies @@ -42,7 +47,7 @@ with_items: nagios_dell_omsa_deps tags: [ 'dell', 'nagios' ] -- name: Install the Dell OMSA packages dependencies +- name: Install other Dell OMSA packages dependencies apt: pkg={{ item }} state=installed with_items: - python-requests @@ -75,8 +80,8 @@ when: ( libssl_legacy | changed ) tags: [ 'dell', 'nagios' ] -- name: Install the Dell OMSA packages - apt: pkg={{ item }} state=installed force=yes +- name: Install the main Dell OMSA package + apt: pkg={{ item }} state={{ nagios_dell_omsa_pkg_state }} force=yes with_items: - syscfg when: is_not_debian6 diff --git a/nagios/tasks/hardware-checks.yml b/nagios/tasks/hardware-checks.yml index 26d921fc..29df2b57 100644 --- a/nagios/tasks/hardware-checks.yml +++ b/nagios/tasks/hardware-checks.yml @@ -25,6 +25,7 @@ - name: Ensure that the smart server is enabled and running service: name=smartmontools state=started enabled=yes + when: not is_debian8 tags: - nagios-hw - nagios diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 657faf3e..b6000f04 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -5,6 +5,14 @@ nginx_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu" nginx_ldap_base_dn: "dc=research-infrastructures,dc=eu" nginx_enabled: "Yes" +nginx_enable_compression: True +nginx_gzip_vary: "on" +nginx_gzip_proxied: any +nginx_gzip_comp_level: 6 +nginx_gzip_buffers: 16 8k +nginx_gzip_http_version: 1.1 +nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript" + nginx_proxy_buffering: "on" nginx_proxy_redirect: "off" nginx_proxy_buffer_size: 128k diff --git a/nginx/tasks/nginx.yml b/nginx/tasks/nginx.yml index cf62d3f3..f5df3143 100644 --- a/nginx/tasks/nginx.yml +++ b/nginx/tasks/nginx.yml @@ -4,25 +4,26 @@ with_items: - nginx-full when: not nginx_use_ldap_pam_auth - tags: - - nginx + tags: nginx - name: Install the nginx web server if we need ldap auth via pam apt: pkg={{ item }} state=installed - with_items: + with_items: - nginx-extras when: nginx_use_ldap_pam_auth - tags: - - nginx + tags: nginx - name: remove nginx default config file: dest=/etc/nginx/sites-enabled/default state=absent - notify: - Reload nginx - tags: - - nginx + notify: Reload nginx + tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] + +- name: Install the gzip compression configuration if enabled + template: src=nginx-compression.conf.j2 dest=/etc/nginx/conf.d/compression.conf owner=root group=root mode=0444 + when: nginx_enable_compression + notify: Reload nginx + tags: [ 'nginx', 'nginx_conf' ] - name: Ensure that the webserver is running service: name=nginx state=started enabled={{ nginx_enabled }} - tags: - - nginx + tags: nginx diff --git a/nginx/templates/nginx-compression.conf.j2 b/nginx/templates/nginx-compression.conf.j2 new file mode 100644 index 00000000..4a06955b --- /dev/null +++ b/nginx/templates/nginx-compression.conf.j2 @@ -0,0 +1,6 @@ +gzip_vary {{ nginx_gzip_vary }}; +gzip_proxied {{ nginx_gzip_proxied }}; +gzip_comp_level {{ nginx_gzip_comp_level }}; +gzip_buffers {{ nginx_gzip_buffers }}; +gzip_http_version {{ nginx_gzip_http_version }}; +gzip_types {{ nginx_gzip_types }}; diff --git a/oracle-jdk/defaults/main.yml b/oracle-jdk/defaults/main.yml index bb8d7bc6..ed327dec 100644 --- a/oracle-jdk/defaults/main.yml +++ b/oracle-jdk/defaults/main.yml @@ -6,8 +6,12 @@ jdk_version: - '{{ jdk_default }}' jdk_java_home: '/usr/lib/jvm/java-{{ jdk_default }}-oracle' jdk_pkg_state: installed -jdk_install_strong_encryption_policy: False +oracle_jdk_packages: + - 'oracle-java{{ jdk_default }}-installer' + - 'oracle-java{{ jdk_default }}-set-default' +jdk_install_strong_encryption_policy: True + # If we want a different oracle jdk set the following variables in the local playbook: +jdk_use_tarfile: False # jdk_java_home: /usr/lib/jvm/java-7-0-25 -# jdk_use_tarfile: True # jdk_tarfile: oracle-jdk-7.0.25.tar.gz diff --git a/oracle-jdk/files/jdk-7-US_export_policy.jar b/oracle-jdk/files/jdk-7-US_export_policy.jar deleted file mode 100644 index 71732130..00000000 Binary files a/oracle-jdk/files/jdk-7-US_export_policy.jar and /dev/null differ diff --git a/oracle-jdk/files/jdk-7-local_policy.jar b/oracle-jdk/files/jdk-7-local_policy.jar deleted file mode 100644 index c34d0362..00000000 Binary files a/oracle-jdk/files/jdk-7-local_policy.jar and /dev/null differ diff --git a/oracle-jdk/files/jdk-8-US_export_policy.jar b/oracle-jdk/files/jdk-8-US_export_policy.jar deleted file mode 100644 index 251b102c..00000000 Binary files a/oracle-jdk/files/jdk-8-US_export_policy.jar and /dev/null differ diff --git a/oracle-jdk/files/jdk-8-local_policy.jar b/oracle-jdk/files/jdk-8-local_policy.jar deleted file mode 100644 index 1c58939b..00000000 Binary files a/oracle-jdk/files/jdk-8-local_policy.jar and /dev/null differ diff --git a/oracle-jdk/tasks/main.yml b/oracle-jdk/tasks/main.yml index 127827c3..2ddc9648 100644 --- a/oracle-jdk/tasks/main.yml +++ b/oracle-jdk/tasks/main.yml @@ -15,33 +15,35 @@ tags: jdk - name: Install the latest version of Oracle JDK - apt: pkg=oracle-java{{ item }}-installer state={{ jdk_pkg_state }} force=yes + apt: pkg={{ item }} state={{ jdk_pkg_state }} force=yes + when: not jdk_use_tarfile + with_items: oracle_jdk_packages + tags: jdk + +- name: Install the extended security JCE Oracle JDK package + apt: pkg=oracle-java{{ item }}-unlimited-jce-policy state={{ jdk_pkg_state }} force=yes when: jdk_use_tarfile is not defined or not jdk_use_tarfile with_items: jdk_version + when: + - not jdk_use_tarfile + - jdk_install_strong_encryption_policy tags: jdk - name: Set the JDK default via update-alternatives apt: pkg=oracle-java{{ item }}-set-default state={{ jdk_pkg_state }} force=yes with_items: jdk_default - when: jdk_use_tarfile is not defined or not jdk_use_tarfile - notify: - Set the default Oracle JDK - when: jdk_default is defined + when: + - not jdk_use_tarfile + - jdk_default is defined + notify: Set the default Oracle JDK tags: jdk - name: Install a custom version of Oracle JDK from a tar file unarchive: src={{ jdk_tarfile }} dest={{ jdk_java_home_prefix }} - when: jdk_use_tarfile is defined and jdk_use_tarfile + when: jdk_use_tarfile tags: jdk - name: Set fact jdk_installed set_fact: jdk_installed=True - tags: [ 'jdk', 'jdk_security' ] + tags: jdk -- name: Install the strong encryption policy files - copy: src=jdk-{{ item.0 }}-{{ item.1 }} dest={{ jdk_java_home }}/jre/lib/security/{{ item.1}} mode=0444 owner=root group=root - with_nested: - - '{{ jdk_version }}' - - [ 'US_export_policy.jar', 'local_policy.jar' ] - when: jdk_install_strong_encryption_policy - tags: [ 'jdk', 'jdk_security' ] diff --git a/postfix-relay/defaults/main.yml b/postfix-relay/defaults/main.yml index 15e1a0b3..3e716cab 100644 --- a/postfix-relay/defaults/main.yml +++ b/postfix-relay/defaults/main.yml @@ -1,3 +1,6 @@ +--- +# Set it to true when you want configure your machine to send email to a relay +postfix_relay_client: False postfix_biff: "no" postfix_append_dot_mydomain: "no" postfix_use_relay_host: True @@ -6,7 +9,7 @@ postfix_use_sasl_auth: True postfix_smtp_sasl_auth_enable: "yes" postfix_smtp_create_relay_user: True # See vars/isti-global.yml -postfix_relay_host: smtp-relay.research-infrastructures.eu +postfix_relay_host: smtp-relay.example.com postfix_relay_port: 587 postfix_default_destination_concurrency_limit: 20 #postfix_smtp_relay_user: smtp-user @@ -15,7 +18,6 @@ postfix_default_destination_concurrency_limit: 20 # The following options are used only whe postfix_relay_server is set to True postfix_relay_server: False -#postfix_mynetworks: '{{ network.nmis }}, hash:/etc/postfix/network_table' postfix_mynetworks: hash:/etc/postfix/network_table postfix_interfaces: all postfix_inet_protocols: all diff --git a/postfix-relay/tasks/main.yml b/postfix-relay/tasks/main.yml index c0a9445f..609f4e0f 100644 --- a/postfix-relay/tasks/main.yml +++ b/postfix-relay/tasks/main.yml @@ -1,6 +1,9 @@ --- - include: smtp-common-packages.yml + when: postfix_relay_client - include: smtp-sasl-auth.yml - when: postfix_use_sasl_auth + when: + - postfix_use_sasl_auth + - postfix_relay_client - include: postfix-relay-server.yml when: postfix_relay_server diff --git a/solr-tomcat-instance/defaults/main.yml b/solr-tomcat-instance/defaults/main.yml index 0fb55504..a3ec346a 100644 --- a/solr-tomcat-instance/defaults/main.yml +++ b/solr-tomcat-instance/defaults/main.yml @@ -1,7 +1,6 @@ --- # solr solr_http_port: 8983 -tomcat_http_port: '{{ solr_http_port }}' tomcat_load_additional_default_conf: True tomcat_version: 7 # solr needs a lot of time to start if it needs to rebuild its indices @@ -13,7 +12,7 @@ solr_config_name: hindex solr_shards: 1 solr_instance: '{{ solr_service }}' solr_log_level: INFO -solr_http_port_1: '{{ tomcat_http_port }}' +solr_http_port_1: '{{ solr_http_port }}' solr_zoo_port: 9983 solr_zoo_port_1: 9984 solr_zoo_port_2: 9985 diff --git a/solr-tomcat-instance/meta/main.yml b/solr-tomcat-instance/meta/main.yml deleted file mode 100644 index a30f4a7d..00000000 --- a/solr-tomcat-instance/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: '../../library/roles/tomcat-multiple-instances' diff --git a/ssh-keys/defaults/main.yml b/ssh-keys/defaults/main.yml index 44e78abb..e3d2ec8a 100644 --- a/ssh-keys/defaults/main.yml +++ b/ssh-keys/defaults/main.yml @@ -1,41 +1,5 @@ --- manage_root_ssh_keys: True -# -# Example: -# user_ssh_key: [ '{{ sandro_labruzzo }}','{{ michele_artini }}', '{{ claudio_atzori }}' ] -# -cm_pubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJN8XR/N4p6FfymWJy7mwR3vbUboC4P+7CgZalflhK5iH0P7c24/zZDY9Y5QIq58IViY7napqZuRkNHnHcvm9mxtSxQ16qe03NulABN5V/ljgR0sQAWz8pwv68LDpR9uBSCbXDdDCUUlS+zOxCHA6s7O7PSFavX4An1Vd/mjwoeR4eLRQXNcKsK2Pu/BZ3TCLmWyi2otnxFiJ8IoKW1CvjxKWmt5BvAvys0dfsdnTSVz9yiUMwN5Oj8cw/jhKqadnkvqTGfGl1ELm9L2V7hT6LM0cIom9oRsQf+JJ6loBe3UUZGaAhY2jmARmZdX3qV9Wh+UtxaWMEAXB9mf/2cK9f jenkins@cm -ci_pubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAPwK/P1MAOksk1vT8YQd4/d9apwx2Npbs1ynNq3jZloDClbR9bOyNQ41SA5HcSHvgRYHTDySw2nCDWew+FB5VqoEqmTecpy7MoPYyxOuRByx26LwgBIt7f3Dj1hrepwiWtrvY16dw7SYEs6+Bm8VGXRmlvGPORzuyP8plagI2641AAAAFQCknhxNYiauoYAfjcx1LONccKwjZQAAAIAJ097QfL/ehWEiaEI710t8wksckio1fhS9zLckNDyBaqMYYBQUSru/orWy6hkoF1hpCiRuhyKj5HyzIZmHRk0oPg6F6Kiq/9AKZAxH/mKD5Dsw0FVANQMuOq5DH2O3NYxlBEh/8tEqSg3BoNsv563i48FJ1DJeOd8/Ldi4tBcxswAAAIBu/R99IT3aOYkoC9z5I7qg0nL5duth4gMsJRJZbwoTtdY4ABF94GBHeb8RlQ+o7dxiUyBp0P5ME0p9Mc0OsTZPsLzYsnZfpzPIWmlNGaPPQExKFhpXkAwJ0zuDAatf9Tc7eT7bhf/vDsZXS4GKJ4HtRIVb6z5jvjq9Y27/HNC/6Q== jenkins@ci -claudio_atzori: ssh-dss AAAAB3NzaC1kc3MAAACBAPMUiX2cCrDItmblQgA2sRZ5SixdDvwmVG0yPk67wb2oZF8MCGCGwwt9eWI8EecMKIevoWF63pn8poUveqvnRRFfGCjly8Rl6cNM3QZRmc5hjU3HcG/eFDCs92+vGdYfN/UV1qi2xIKU8204VfpnpWfsPlBqion/mR/kfLgCD0RTAAAAFQD6xPbDfMl0mkPGNL591eYHlKbtwQAAAIBJjhez8Gy8WGMJdcd/0B8rgEuHhDA9SQTknc/V88OMMthe3T5dWwwesT0DU4fPbn9Be6QWU+SNrBESmB64UpreCeodvh9pnfe0xerYWMplELlHM1yRtCCDQp2iDXK/oRTZne3IX8+OPx1OSKkWzQAVls4PV92CDSS8h1B9yvutiAAAAIAd8tasvTEmFpjaqszB6gkCdTlRHuVshRdrvAE8NBg9n0EzN3GdIyzJMmMAtTb0oJZZ3KGnKZic/gGGbqEY48PMbd9/WpWTf8SJz1ccpt3EQMbvLBJUwsJQ8ObBYhVe3SIwucwsZguIiPNdHIje+g1fc1DQHd5ALt3ljAYCPW+Yug== claudio@claudio-desktop -michele_artini: ssh-dss AAAAB3NzaC1kc3MAAAEBAKYA5eODSPDAcAhTqXQQP5mzPmLfS7J929Ncl5eqTj6KsjayfNnKsKDPzXGD/YGEGTP82VQuBzk42c1WLoUi5GnB5kZUWfdrKJLbr4JXcVUYnNNIwWIc1L9YunmbFN2zllHUXHrKn6EeKjR6H5xT0KPOX17MUa462jA2FLvesaqOoomm/AeNBF1UkCx0mRJEAMGq+I3xSBQJVhUOFmRJ7n6b4X0E3GXxtpkAwHiBiHX1GtNh2gMeTkIBHeZrS90l7DOumM8Y5KOP+fBd5scxodHKG2p+t3gwzwU2RoF5Hq8OvT4B3Dr5qPZKBIrB6kh6/5rLv8O0Lbky2aeoiYaIR0sAAAAVAO1EMaAsE93IDppRLlV+EjNn/4HbAAABAQCDPZHdR+uG0jfsed/ONPzecBDAJ4qS99D50hqrmQIRtsuhwo9KFsJ1cVjgSYjToqg8XuPZaO26E1riHnFAGoExQFNdev++kGtMfT3sxHOLwDd19fA3KNftFY0oqzDkLuD4D1+8gWk7WmTk8M5O5McFuuAr5TmXFdFNT49/6Z+XOuIQxyuEq9kJxSbO+dag4699lm3ZadSq6SEC2u0WAgyaIYUorYPJyYETSvUpsBtv37+oGbbz7dfbZ5pnmYi70BFiC2G7fA79shn0X/+Gk2Wp7RTDP/OB++RZFcrjHFQtvETdGSviq2Lxl1C7zp61qAmd0TZJBZ19k29nXIrILEnJAAABAFRqkJyVwZerL+E2jbF5LP89NW9HsjrBOEBekohR5zQY1KUPDirbReaGdf5hM6tvRxQCjlD+VMNq2VFRDC+RqOot5+KIyCaom4sXeYZiJBWa1Zx5YLbUZnYBGIpsa+IICA4drYwInGUN2EhClPwfDvZzFhd422kZFjiLYNM1HQ9f5TbKf1cPLSE/OitxU6+/NrCbMaRO2QPrjAB2EQG2s3DB9qfMBPg/Re7DyGJgMBn6KUXZ6JRvVssASvF7WsRaf5zRpug335CymndSS4fvQY74XJiVtB4vqDZle+WhXut8jvZ1Zl525fZZg9smZ2anqVWGGRxael7hjvlwYXbazkw= michele@pc-artini -andrea_dellamico: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ9n6B+J5S7NPnwjejPC2WrvcRzC07WPnAoQ7ZHZ0Mv9JakyWItswzI3Drz/zI0mCamyuye+9dWz9v/ZRwUfBobVyXuptRaZIwxlMC/KsTZofpp3RHOBTteZ4/VM0VhEeiOHu+GuzNE0fRB2gsusWeMMae2cq4TjVAOMcQmJX496L703Smc14gFrP8y/P9jbC5HquuVnPR29PsW4mHidPmjdKkO7QmDfFAj44pEUGeInYOJe708C03NCpsjHw8AVdAJ6Pf16EOdDH+z8D6CByVO3s8UT0HJ85BRoIy6254/hmYLzyd/eRnCXHS/dke+ivrlA3XxG4+DmqjuJR/Jpfx adellam@semovente -sandro_labruzzo: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+PFOSF+U9pvWTH/9TYZer3oDvTU2q6wVPs0dvgYc9Ak1Wdzmq4Dj9nyeLBW3G1i5ddqFrr/QSjIroX2/y8Z8Dq+OZLRpBhSyLF9bV0jKbytJJYhkzIJHgE/ITTdbNQVZstjPZ0D4c/0lrbMwiiwsKWRqphmvMKFmgkO4M4w1qm8B3UYPHF3lZfw+vm+rgVv+FiOltgsRm+LU0IszeiiOd1WgPWUVYixFnNUVzDkXRDatO5//M1XMHM/PoontgnsCP2j9kxIptYgguiNZUIeMUFljw3SbV84NrVUSpL6/fzmvsEv05rkRT0+P8oPYIhxO1alKr99H9ADg7pU36rWaN sandro@sandro-pc -hadoop_test_cluster: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDi7O89HLqa3HMEkmCVF6/V/IWw8G8eaKWOOzDsLtQAFFti9rWHckyCSxNhtYuuiGLhn5Mad0E7JaguexU5j+Rm9Vu30ducF6DefJsOqQ5TfQhzN60w5f+y59BqWDSHBBawEhfuS2B5qj9iL76w8ZgMsqS+6WXiT792F9DoelYfKBODQi8/AE5C93iQiYyyFIrvy37KUfvBlzjSkNNHb5A36PlHmQBZD3WhROaZfjUfXifFzOSs9bERazttXG8HeElt7zbE40OSse2HG3y34gB+TvGIYbd3scQUiL5dEWt4cDSDBrEU6b1rG04uZgkscxCFwTDxPrHUVXS0ou03N4nr Hadoop test -tommaso_piccioli: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzcHuDU7PgJwz34AsVG0E2+ZRx17ZKW1uDEGABNk3Z60/c9LTwWKPj6kcIRy6RzFJI5X+IgPJnYouXVmJsIWjVL8IRk8fP1ffJC6Fyf6H7+fCxu/Wwed5OoOCvKeZ0bEmJ1tlXFM6+EnxKqLCvz3fsNy8e4WKMnpS1hT8K6YB7PMjt60S3wOaxds1Lv4NmmgnfGM5uZFYrZCx1/GJCzNSh7AEEEUIVQ1B8xmXbet7whNiwDmiOnXSlt38dkIYT8kNMuRCj/r9wPr7FmoUCOFzUVXTcnuYagKyURrZ8QDyHbK6XQLYXgvCz/lWoErGFbDqpmBHHyvKSeLPxYfJpWJ70w== tom@tom -backup_agent: ssh-dss AAAAB3NzaC1kc3MAAACBANBn5i7oJd12+GAeDVSAiPqCxcCDzWe41g3Vy/LhbYKwG0smPNJRfvyf7lKWkgolJfMJZrk7bBVhJoApkV7vkFkrSPueyRC+/ohjafpOsmxRYiOaSrDZ2c9TbGFVZTh23pUXoDPp2Z0N8l471b9Mx/nqgtflCV+IVICcDZbUhcCTAAAAFQC+fmfljTFllCMKsgrSJcQAtiIT/QAAAIEAvrsLfmQzHQjt4G5FhcPVbvP87KUsDh0xksCfMRP6bQBz/3mcnt7V5/MLll/CZMiOWjRK3ww9zCYHprUwQtAZSllFWiGUKw1tDvf1ZQGESYP/vvWwcpPZpVsRHlhRtuMsQchSRxw03yYOqEEa2akWzQlvaZ4CWWym931mZg6zY4AAAACAG/l8dU/QEMK1JP3rDV0kZYvcxjUC9Mxw5ScTyVqVnxDL75ssX9HiQamsiTk0dYNyl8qkB38FfkB4LhEb8FkHs4toN+nTNPPlLqhpYMs+anwyNy32LnXAVP02VJ2+3exwGe0b5vtIFpj+j8s7YZMHN5x6d4xhZ9oq5M2pJN6M48E= root@dlibbackup -monja_dariva: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQJvgDc8lQB+EArajGPEirRuYxGcInfiM3uRS0P5Dhqch6cuNdMFFjCoQVFL2Dvs7QNSRm8mvnPLWOCYLEFPBdXlA63w+n3VWoVOs0lUgQM77/axetd/K8BCkJlcA/exvVxLtzc5k8hN1k3OJY/Npi2Xa4WyEMV6t7+vYK3MXPjFBy4Y/aLWZvHcCn0zUbeB8T8PJ2S8taCIOMzemUzjGs3c0f4y6oaJx1gPw31PCahkaVS4ZLSt+0y3DRaGiXjyzgbQPf1whBOT4SSiX3SgdMvxA/Fzz2sSAn9PNfKq+/vygn7qDB79qzBhOXs36dPuwmsqggxIZasGUT/YfRp5Cw== monja@pc-monja -andrea_manzi: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoCquwjgvRQXrHJ7sjY7/mFv0hEev4dljYKYz3Rf9r1rExQ6zku4tCvLkwmc+1U4ui2GCMQ70Hp1BbVdU01WVdAb6ESLAqk4m2NFiNxSsxerEyyOgnCvTA+Pcb1beVHgEm1/IA+6MgVPg71nE2OETpaoDNBGn+AmCdLqC67lXM9KlEaoLFFGY8ZbwJifWdidH/fk3rQojnGhxnFOidVu8QeV+b5kNTyVA2CUbCZCFZANIs/ZrDOmP5nmtA35vkIRU0OV6iBeJmcYsMwXmh8kiR6KoKVcH7gMMxTpBr/wjvdak7BeiZirP9poKE7XBiyHeatqQgEUOALsolkCYk8YJUw== andrea.manzi@shell.research-infrastructures.eu -antonis_lempesis: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8nr14q0s/8V9Nv3bz7xCk9FwKbtN21qx33PDTUS/NjwHX/AQIE1ZFbepPOnzLuPy8LUtzrEI+cEMDjn37CLiZWjnZkPOaIV7ELUBvwIk6JBe6iXSq93atYJWxQQsPuc1uoAFWLayxExMRl+P0UQCP7pQmTg4v8U4VflCp0LLBglgBl5glIiw2fLAfc+JawefWGnp92djuvqii8zm5nUmgJ+5DjbSD0rMO+vYXme5ig6v6b2YFG0cUHiNk8evM6M+OWmtz1uzP6kfQ4SjCNpzib6Rub8hgPlkJH/z4S+7lF1e6uwohQyicwu6hfTfIL+IRRCrNTGtzcDmk405/nIETQ== antonislebesis@ekton.lan -alessia_bardi: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvfQoH4uRROhIUY5VTthAiY0Ga0cbg3smsT366C4Nd3TtU5ciBterRQv0YkvdQ4zS+e3D47PFRAuEyJEAJMp9+odhmjT6WPLhMYmE42b0qk+WC4uXG7V2rTX+wNvX4HaVHnlPai/6Of85rZ1AKbeMB2LLKMvj0n1HovVg6VbLUfrrxfkcTfgE27mukoRQy4RuZjQRjdJ1o7g4geA05CrFjDOriqwl4WDXWUNSkx2MwtOZ58ZLAVu84ce+RYvzxHC/wZptOx6U35fsoAaK7NPIiwbRbSbQqlAMnQauCLYTvfFKFkqY2JXp9q6lSsW4S5VnEeJjWvO/e7rxOmdbxGzx9w== lexis@lexis02 -andrea_mannocci: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtTV2pjWXgTmX5h9J7VtQbYZ2NoQyZmLKl5gHvBKcX4pgBNYR+OA0620l3I3bTLPzqx93y6N/GIi2ewutyk7n2a5qFAIZxhrQYR5rSQn07apTDSh9CKyAyy6baM/jQmZN4ba6ObHIFdtIPHyY0Z/2ni6ohWXuOPIC+me+/x4R6P5s7y6x4IoMOGcEtn+puJ1gAdMBhkn7IqMAbdMj3WbsBjDAJ2lT8Dbyet8fkW4TENxd0teRW9jGeSP8rtuapnAF6rgcvPn/gk3/0wnBsXjtlBe5VEJTsNXY50RoB+PdkLgT4h6613v2WtR6ZoCEVNLXbsJ2BabrCmntyEEJVdbMJ andrea@pc-andrea -marek_horst: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0tbauAEn91q209ek50lv6jeBGsYy+N25XPVE9e173L3oW/NR1DuIXdn/zpHy5sLKpWk2nLkGJxNBdAFlKKxDKzRRZ7aX8qB490o5H4GTGgdxIQtp8x66CvIjMyM4kYLExVb4WVV7yMxCxuClMk6/m0vo3h77VzL08e3uyLoa5FZ3RPbOFb6QvnH4QEoFp/6Hos9mJF2bY/w2DqUrUVgUeAO9k9uilqhv+rwHdsq20g9OXHNlWOOtNtrWq0pn1FU1jCooZsbqLeBcEGlvD/I1FxqLi7x5llpNVfHTmEHoczTmuo0sqAGmSxHWnz3C4KtVTHVqxLS6hSUp55j6DQwPnw== -eri_katsari: ssh-dss AAAAB3NzaC1kc3MAAACBALsZPjtXRreOknW7KAoBCiJ/QqFfHjz2JD0hTl/MQOPTNfn8532F1tpQDqMKz0H1XIljJas7EvrVDMNDO7iX5CbTmfLh2ds8ssPQ/LwH8ArNfsWaWyELVWJExXA9Xizcb8PApWScUEeRgP22ZTgnHYSX7zCQGhSn1Kb4vQ3H8MxbAAAAFQC8PJWnks+PWgqtO7Gb8SOV8oP3YQAAAIEArfQ69en2ZHku2T4FONfhjFLy7AKpq6Rh40KCGTSgowtbyyYVk0aRupqMlVolYwlbeY+/o21EFb1+Wy9nFDNsu1uY/1mESdLs256rRy6VJx8/VvuYg4r7TdSqypOa0QsqzCbExwZR4witez5yMQKZji8kmRKWKRsByFVk2OR0IxkAAACARQlw/skGy5wfkWd41YqsoDhfMLVNLAS2dKnUkLdifUKjymcSHC2WrYq2LfxVxrd9CFFp/yurlQ01v/818GX7nE9zBiRhhFS944Lk05CmInmcDt/J2iGq65bA/7iem9EhXkU+5Up1uYFgdubPEL7Za+Pk+Z9NMdqqjtco9Q0A6v8= eri@eri-duffy -marko_mikulicic: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYNjCquDDIpGqJgr8DTkRd0Y1ngmrq+FFMb+UnALdm3I1Uch07Z+TAkcrkpr9RdyTjP3mNIUUyI18Z6NgUC2TR4x7wVA9eV0uGWP8BiocXWPjVhQJhtDkXldkP93ylyYlLJ4VQ+xGinKdg7ZA4KTpG6rnjL999AA4W0utj5B8Dj0l/wvp96ONq1ZOTzOc3h0t9NGVQLbXstNakQkPcb5E2hyt4QOOahpZ6TG2is460G5yEgV3xHT/VRJQn0OjKeHnXlDwXs53qwjeNrESMEv4wD2qufgAXKbPGK7+3GReE8VkkhwnEY1/ET4LaTyqg6eIp0mIiScDvBV0/UCNX8c49 mkm -jochen_schirrwagen: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqVJeLtXaqseUP3cHSIQw+6Piv6s0PmezFbj34oqcN81/JlzmTtpOd8GBX6N8Weo40HbKhlghOl08+3WP2fW3eg9vaST6xCy8BvzLcqb8LPBSlTXa8imAK9AWkR4peFi1zYpIciZpkAwaFtfpdSR/zJip2s61EgWhinUPHs/0PzCCM32P4Yc0qYygb+htv4AthZWChEbHSY7eNrXIOOvyQtUSbpGJ78VCEdlKuy+ehhTxlMOBxcKca1PSWU3jSmzkSxnUotr2IXiRK1bUVZYpXXd7K89EZfPpb3DG1z8UBf9n0obLdI0yvaka8z8l1KxbwuAhN9MyzHITALbniYIHOw== jochen@jochen-laptop ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo5A+f0wdqoXCGEFBpePV892cq9MswIgK9vmDJ22TdHKQrN5h1sIHeXjxO3vnaktb62evFqZw1kueA0dwQhEA+Kvpc5qN1s+GfIxs4PbNjiNWNVgwrfGK11vlW/LP2GgbfZ7pl+Gxj6Qu65/A2eMf4c9ZjAOnHck6RQSttrfIjR0kLpqEB3o2x8s89vu/P5PG7mN+IsfW9Ow/612m+8ZG84qnVAo36lK9mgEFUToozIHfON14uC8VGTnsN9ff9S98GJkW8Ga3ha9voPwkp794LBHZlQj01Pwm4ZOx+tdOfTNXx06szjswacWXsW4zaTyH9MZP9LumubGG7eOse0y0bw== jochen@jochen-desktop ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo5A+f0wdqoXCGEFBpePV892cq9MswIgK9vmDJ22TdHKQrN5h1sIHeXjxO3vnaktb62evFqZw1kueA0dwQhEA+Kvpc5qN1s+GfIxs4PbNjiNWNVgwrfGK11vlW/LP2GgbfZ7pl+Gxj6Qu65/A2eMf4c9ZjAOnHck6RQSttrfIjR0kLpqEB3o2x8s89vu/P5PG7mN+IsfW9Ow/612m+8ZG84qnVAo36lK9mgEFUToozIHfON14uC8VGTnsN9ff9S98GJkW8Ga3ha9voPwkp794LBHZlQj01Pwm4ZOx+tdOfTNXx06szjswacWXsW4zaTyH9MZP9LumubGG7eOse0y0bw== jochen@jochen-desktop -old_nikon_gasparis: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpwiKTTbiaRtuloEgvTRwjDjzrYSjUOUfjZ/o7FlfvtkApA09bSbbtVpMid60TYzf2tK1ie0Y0rCnaQ0wiaSQFqGkw47VsewBOpyJC+pWXz6GLMMJUEY6viDSuUDbn7ADJqak4YscVi2vZCSwWwslA+jBqWimDdE+8hIKNqQQA3klZ1zp84HayUdJY4jt3nbpQkOpVUdE/1cggVdq523hF2u+mjyR3ctILVyyPArxPInYILZxhaS8AvX8ZPADIE5Ki0zowC2UsvbZZzauJzJQ/KuK1tvZVD2AaEg+06Kj1RWWxIlYgXpO+XYGoYEViPMHUdf1h+zt+t6UxXshWPeWd nikonas@di.uoa.gr -nikon_gasparis: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3b+t/2RQjw8d07zV30tD0qysEFNTeeAsFqazdrvPa+bbm6wZ75Gkka4+wWmVZdd56gIh4yx4L4avnnzeQfUTREgrhNmlHRPdVB5rpJNa/3bQ+J/O3SpyRcGawPKNJWlhwCWaILag0lm3O+4ukuzN2WXFxHGyiiz0FLPXS7Yps2k3OZVHPx7GhGkr+K26c3oELR/yTCCgQxrZwMpy9xOLhXgPZRlzj4Y/KQBgRojbhhrFmmKe3k7g8u2Kb/oSDl5+kSOWzV7qrvHkHDUc2K1bp+lrG6L8QNLivZzOVQ/VeBBGGRhSL5D2JdC4T7+q89dsmPQM6Zu3lWBKQk/Jw/1gZ nikonas@mpagasas-I2 -roberto_cirillo: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvkwppFE+K5MjKqtkGJN63wkcwaqZG4HkgPqMSWrXmCfDPJ3FxjDHV9aQRJYVKZObc9+SsFc9IYXwB2A8FI0XwPkCH2hfFKDVNO4TktO/SrM+4tXbEfEDWX/PduBQLootYaMEVj++p2+s/mxVnxTAMzsR4txC9tkWR4JO4VJ2cpZfM8po4p1wA4YteW6Oiv0PqUEsLtPtBHGuCgovo8WS+qxcxpeBBnewEssgis2dzDSqx5HUmaOETAxxEHflapHWQLum0JjvXsG5jlf9jL44XJPkcHXAYk3gnhtyM0moJpUya+GX7+ttfWWvwxs0tYNDXNMRn91r1hMLWmas4D+T/Q== rcirillo@rcirillo-cnr -fabio_sinibaldi: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArNhKFcJ6T08sn7kTTLf+rO9HEvgOvqfhv5HQ2sRf2tFYfjfCb0zHKnMkgW+sy5gMU10Lyx1r7juXCvqRC955uIM97m1B1Xc6sVqASVKuGPhCKfhxEaMAyBcWFdE+HYbCOPYVN+JMrcwWfbblwiZTtK1OCqaEUvDDI7cFeU68noXwggEp46T48eqMUdi541D9Y+BVx9HYAo6OCQz0+6eXwxJL+tpRcAAXIMMWv362CYHoOgIU45R7xVSMLY1k/HLrcEAblwxEaSpduCH5cWUXZE/56IyxpvP44BxZkVhNdqJLmg4hxBQWhoMNYiTZxbLay3W2TwBCM111cAtUx4M/jQ== fabio@pc-fabio -gianpaolo_coro: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAkLUsStIPUVZVWiHyiI2poDnB70CjOJttbFLc5hBd6ViomiFil9u9q5Q0M1JBFFSv8Yfl1Rmc9zOh/52lJolxPGn8r22uGgDHVv71IJ04nS5KaRGIbv2WoZbYBc85oyZk5Fv/emY9Ace/t8icgDl5xJddeLfK6rTU64MZ7NGycIc= coro@coro-PC -katerina_iatropoulou_old: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA29WTITAKDhIE4lYt41hEtL3TnE+bIrlZAdAzSKySHOXPI8Q1vxanvprnL8BU0okgfZJDx3qxcTWLbwpcdWvGbO2SIA8JSKl2viQqfYDc5VtWFd4xo5z9y5BRrNDOOel+XAZjamx8lv8c44Au0ACV+jCAhnzwJA4Iso1KuNsuj2M= kiatrop@rudie -katerina_iatropoulou: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/gQ8huY5CSl7cGPiNE8OdNvlE4A0lXe08gSiEKIYVh9qz57ALoZLSP3To4cKIhfmFssSAewu/0A0IX9llOGlsOVkC4aGOlO03l0mAiVS7bVQd+5S51Gh+ijWsJjSg4bLoRINn1NkNNZ8J8GK2+vBGqxB25LcG6giRdPs2/jb5UHd9tqqrPdO/rJWV4OrTDkevYb2qfnubuvZgrf+C9bD1l0Xnklr2zY0R6RCkSpmVhQfwpXU0KGb9pW7oJS897XB7GCawKfufOdmYqyjG3o9nMi5+cIVNKfhT14wSv6D1FUQIIQnzJPE22SBmWIzkS4ovGP2cRObVTcIRwO5U4H8x kiatrop@rudie -farah_karim: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzKSQSk3ntKGUW2Cy8lt/44BTK2+UxMM4W2XO4CrcwgUxxlgIfpL4UjyuSKIygRdU/lL/4xHJdRNzA7PSEiHnBhIeLiF9QWw1mO2GVdJ4/1G5J/XEZ3sL7zyEdwwks7FsnT4U9PO9drNDZ1AmIK8eDKtX9EJcOFflulOknbIHjIq29gXcXbrhQaV3rNHS8vGDkv3fkpJT9Wi8BEUMeMFYsa3k3pc3nPysCQR+xsVJ1Ht+1gpU71W7fACaI1ltYaCToPAJasU19Tz6xE3edl9/Dz6HIL5FcVNSbLFEiyQhd5oL1ITCXJOwzyqobrUUdRK/30iIBRRFW00AIGQCDV0S3 hadoop@karim-ThinkPad-S1-Yoga -luca_frosini: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlTQulSJFayTJyOOecgsct35u7uvVQGX/Da11UZVxvJzw2sQKOMSCMBBGF9zUlcMoP/qvF425jVMM71S8kamCcqgSN528fp9W/Nhw7s15NbCE3H9tJ3B+u5ESOYsRfgogeTIyL26aIY/2rke0DoKDIMU3YlOtN/1ipt5cY9uV3ootxTM126y2WChICGo0h77M/Ta1pIccUE0XbuaA1HwlJBkfDzQ2kh5tkaC7mjeETstOQzpEoPFoVr0qwSPz1Y6l8uiedpDZejrq64Z2zRcSxjEQ1wuA9r8uO7TJQttUKK8m/dHMe6q3WAiFc9sOYe4tf/GEmziB8VloMTNCPJQiz lucafrosini@pc-frosini -francesco_mangiacrapa: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDa0NzwaCcauxAFlsupU2xG2eff9nzep9bnb8pISbX2lk+K4yoJvJOAz9W9klJtpPX/IUJx18YR4jjDNcdiYWNh4Y+5jKT2EhSPNkj7Vw2MhA/ZeOrfHx7JNtL8gdxa8XxYB0ZoZqutRppmaRwWmGGwdVh0wyUzWR/v0OT01IuQGYVneLKIjUtx+BcWGsosWISaOQzVbv9iTFbSwgjbkKFHzHasxwKsrK4t1wvbzuxwhVC+5/VKghBJWN219m/PO+itww/fSes0KpI5X/7q8jrYzUgYwrKwt290U41Fx8syDQ6101YnRzMXZRyZwuVNh2S7WosGWebg5nPS4IjKho/F francesco-mangiacrapa@ubuntu-francesco-i24 -lucia_vadicamo: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAqR/WChJL0M/EOQ1Jg7x7H5dmgb9jb/Rs+ZsWFdEvIlbNzZPUhTofvazHHLObR/RtLl4+9jjG83bNJHOTysrtY0c4BOcgBRFm3HRAr6TTU7bpoC0bleycKWmgXbP3nVfRgwd0N0tlmsDMBopdfZ7BwUH3SARQ8ssWbi1ahTP6IiYE6oCOxzDhXHRRGIdHhcRbE6vFaN+BTQKX/1zfFimPnuhiQUyZwX1KtBNnjxbxaNTIUbyDUxmyLo3S66EnNqXD6n4jDDWXJb0HkI4eDTtGFxaF02PSzXr8X3ZTWDBX+/YkzaWeesvtubYa0QlZ19D2+WJZJi0SmPDf7XifPtq0iu2UB4DFPQeRGAIctxmxTSMQMhngblSdSY6R+ZXG8yxtd/b3iNQaD3s8xkjYeXouno6djnJyIA/Wu2Asn6zLJC5qyVTTNUq5QNMIoNoX4Eq74eri2yzieQGRegDNie5NxjiRyo4kdHV3gihRDm53MCUL1aKz0SijmSfNeaP8weO77qKXaYNbuiEJYtU2io14mOHYHfMlvFf059QcqxQUAEOWl1YrELExHJmNJKjl/2/nCq6Ns4JMDEHicisjTfE5GAZHJVFgKRVroRzySHfxRTBXXyPDPzjN9aZy7HKSFiUXnKKS3jrVsbQ5xKdtOOzo6Uy3mIakTQ/JWDbzQ0fMwoE= lucia.vadicamo@isti.cnr.it -sahar_vahdati_old: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB38nRuOy6g0UEkYLZ5v+VGQIbZAFjylEtbmZJAN3OMm+wcgoCTIBvytZ6Ajp8ZTT1tTqo2rsAVb8O5pv08Qaunl5VBfvEUyqNdYX9SY1kB5PzKtBZBbkkUI4AE7BNJKKuki0nYvOHP5p07FdobC2OjILGxci4zn37X+CGEykNrXQ== rsa-key-20150605 -sahar_vahdati: ssh-dss AAAAB3NzaC1kc3MAAAEBAMAfb7STRygwnvobeoYs+znGDFSauwFJ53SGiqxWvws7VO84JLCGPrInrnFYhU6eJAWd7W24ebQhBLqEKprJ85+j068F8kBL3EoR3yyS47jHeM9nZtQEoPuPJIdQotKEUcsEB0qXsdxrK/g2xOwEE/QTvxHHoHdrlrV5i8nL2iRJZTLn1OdoyHTUJMX778RJuqsApY9duyi6Sx7YshF4uFqNiarrEUu0ldG2K8akBwQEvDBJuXsDKD5GJmRzBbqDX8xswTORelvcVtDk/TD0wMMKudBNQfktTPXATBCx6oPQ3gzBlLDF4KrnwKZ+I75c6/Q+AIz3OMM8vrcB6JMLk0MAAAAVAPKLs+YuP5ulRX484PevayNHavKJAAABAFcjNAQ1KxUKaNBeDMtNj8WWkMyx02HUPWf8ztKetTyvavK4ILTrQAwsgvH3dmOMSnm4ckWMSxQ/v+zbU/mKNddyNo7BJqRT4rKbQUvp5Mg5E+PkZNZaiTu9C8rLIa1JbUoEyssqLAlFbIviJlwpLgaf+jY7ZCJso7kCYRWkcXMaEnNvqCd5u8IAGBZijI/L9TtAIyjgYoh4pYdAPWjYTjH+nH9xpIuN7KQEVq1ba/WyAe9xVNPta+fnuHiUHbUpNaExhIs4pskfCI5EuBBgxtixkSPssZaNFlWXx2rwFLnfvnLxeG9t7qbXs5LPoo0x0miq/eo+jgIHel9uEvN/BNYAAAEAQ/qXwtXcw1aA7PoKOTOmwaproFmcnu/7unEEu16/G4F2t76kz4CwehGgq19MnbgfzBL64qfs9A5UxI4HRJ6e5/Ik1a1dv/tSVSgA+rKJWeCZr1cTg5Y/u7OAk/mik0nL7r7TraofYvGAWl7ckYeN/28wv5TWSNB6CkPix69DgLvapjU5RG+7DPhzINc5MF75MjFRTnc5eAeC2wv2+3MzGzm78+i6UPpwd7Jj/BKTvtj0XinHJj+QNhkVtH6lAYDnAJNrQXpiGCKScVs1YCNbF9xHtBN1wlU99k+FdjLVsef3L348c3QWTVloXoh+HC0eNwt8QvLUyZLGyaCAy0ifvw== dsa-key-20150709 -christoph_lange: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvFxHqgmIkBfdyxRCMGhj2R+Bj05EBB7DlBrlKy6eM3K3EnPP+0dlMW+KhGwcu5sHFjyPtdngEO8AX1TQCUgifhd9++fBVAfUfKU5+dUqqyFFeQjQMqbf7pzWCJ9JjQ5tk1If9IzgBe/50ro0SCqIbod3FogSe4RZqQV1P0znxaHt4ngJSRYnRK+6gniMuT+SlcKgjDM8v8RP4ELWvE0ibduUGoyCEzmmroXgymcL7tpqHTdfo8o3mbcwqRGmCHEplQttFG57PwkJlcQvhKuJHo/Sgcyx2WuEFL/vZMFnuXhaNFg7I1UIO9bNwsLjsbnR9FEK9rjwwl8dKQHDh5R1zQ== clange@BACH # Use the list when you want to give access to non root users ssh_users_list: diff --git a/tomcat-apache-requirements/meta/main.yml b/tomcat-apache-requirements/meta/main.yml index f3b1ad18..891b1941 100644 --- a/tomcat-apache-requirements/meta/main.yml +++ b/tomcat-apache-requirements/meta/main.yml @@ -1,8 +1,8 @@ --- -dependencies: - - role: '../../library/roles/oracle-jdk' - - role: '../../library/roles/apache' - - role: '../../library/roles/tomcat' - when: tomcat_m_instances is not defined +#dependencies: +# - role: '../../library/roles/oracle-jdk' +# - role: '../../library/roles/apache' +# - role: '../../library/roles/tomcat' +# when: tomcat_m_instances is not defined # - role: '../../library/roles/tomcat-multiple-instances' # when: tomcat_m_instances diff --git a/tomcat-apache-requirements/tasks/java-requirements.yml b/tomcat-apache-requirements/tasks/java-requirements.yml index c065d71a..5396df20 100644 --- a/tomcat-apache-requirements/tasks/java-requirements.yml +++ b/tomcat-apache-requirements/tasks/java-requirements.yml @@ -1,23 +1,8 @@ --- -- name: Install the apache proxy modules needed for tomcat - file: src=/etc/apache2/mods-available/{{ item }} dest=/etc/apache2/mods-enabled/{{ item }} state=link - with_items: - - proxy.load - - proxy_http.load - - proxy_ajp.load - notify: apache2 reload - tags: - - apache - - dnet - - name: Ensure that the jre/lib/endorsed exists file: dest={{ jdk_java_home }}/jre/lib/endorsed state=directory owner=root group=root mode=0755 - tags: - - apache - - dnet + tags: apache - name: Install the xercesImpl.jar needed by the dnet applications copy: src=xercesImpl.jar dest={{ jdk_java_home }}/jre/lib/endorsed/xercesImpl.jar owner=root group=root mode=0644 - tags: - - apache - - dnet + tags: apache diff --git a/tomcat-multiple-instances/defaults/main.yml b/tomcat-multiple-instances/defaults/main.yml index 49cbba47..2c1958c6 100644 --- a/tomcat-multiple-instances/defaults/main.yml +++ b/tomcat-multiple-instances/defaults/main.yml @@ -49,5 +49,5 @@ tomcat_m_jmx_localhost_only: False # This is only an example. Insert a line for each tomcat instance. 'app_contexts' can be used to automatically configure apache or nginx virtualhost http/ajp proxy # #tomcat_m_instances: -# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}',default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '8182', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_port: '8100', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] } +# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '8182', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_port: '8100', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] } diff --git a/tomcat-multiple-instances/templates/tomcat-server.xml.j2 b/tomcat-multiple-instances/templates/tomcat-server.xml.j2 index 0c8d6968..d4f70d3f 100644 --- a/tomcat-multiple-instances/templates/tomcat-server.xml.j2 +++ b/tomcat-multiple-instances/templates/tomcat-server.xml.j2 @@ -16,7 +16,11 @@ limitations under the License. --> +{% if item.shutdown_port == '-1' %} + +{% else %} + {% endif %} diff --git a/tomcat/defaults/main.yml b/tomcat/defaults/main.yml index a876f054..0b271416 100644 --- a/tomcat/defaults/main.yml +++ b/tomcat/defaults/main.yml @@ -16,6 +16,7 @@ tomcat_java_opts: "-Xms{{ tomcat_min_heap_size }} -Xmx{{ tomcat_heap_size }} -XX tomcat_java_gc_opts: "-XX:+UseConcMarkSweepGC" #tomcat_other_java_opts: "-Djsse.enableSNIExtension=false" tomcat_other_java_opts: "" +tomcat_install_server_xml: True tomcat_install_default_conf: True tomcat_load_additional_default_conf: True tomcat_http_enabled: True diff --git a/tomcat/tasks/tomcat-pkgs.yml b/tomcat/tasks/tomcat-pkgs.yml index b7817854..45896f21 100644 --- a/tomcat/tasks/tomcat-pkgs.yml +++ b/tomcat/tasks/tomcat-pkgs.yml @@ -17,7 +17,7 @@ - name: Configure tomcat server.xml template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml - when: tomcat_install_default_conf + when: tomcat_install_server_xml notify: tomcat restart tags: tomcat diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index 8aefed53..87895154 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -5,6 +5,7 @@ use_apt_proxy: False apt_proxy_url: "http://apt.research-infrastructures.eu:9999" +pkg_state: installed common_packages: - acl - zile @@ -23,6 +24,12 @@ common_packages: - tree - bind9-host - bash-completion + - sudo + +# Set this variable in your playbook +# additional_packages: +# - pkg1 +# - pkg2 # Unattended upgrades unatt_allowed_origins: @@ -81,6 +88,12 @@ configure_munin: False # Manage the root ssh keys manage_root_ssh_keys: False +install_additional_ca_certs: False +additional_ca_dest_dir: /usr/local/share/ca-certificates +# IMPORTANT: the destination file extension must be .crt +#x509_additional_ca_certs: +# - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' } + # # debian/ubuntu distributions controllers # @@ -90,6 +103,8 @@ has_htop: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_lsb['major_release'] }}' >= 5" +has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_lsb['major_release'] }} >= 8))" + is_debian: "'{{ ansible_distribution }}' == 'Debian'" is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'" is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'" @@ -97,8 +112,8 @@ is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 5" is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 4" is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} != 6" -is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} <= 7" -is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} < 6" +is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} <= 7" +is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} < 6" is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6)" is_hardy: "'{{ ansible_distribution_release }}' == 'hardy'" diff --git a/ubuntu-deb-general/handlers/main.yml b/ubuntu-deb-general/handlers/main.yml index cbb26546..fb906757 100644 --- a/ubuntu-deb-general/handlers/main.yml +++ b/ubuntu-deb-general/handlers/main.yml @@ -18,3 +18,7 @@ - name: Restart rsyslog service: name=rsyslog state=restarted +- name: Update the CA bundle list + shell: update-ca-certificates + tags: ca + diff --git a/ubuntu-deb-general/tasks/denyhost.yml b/ubuntu-deb-general/tasks/denyhost.yml index 8c834d45..d3a92105 100644 --- a/ubuntu-deb-general/tasks/denyhost.yml +++ b/ubuntu-deb-general/tasks/denyhost.yml @@ -3,33 +3,21 @@ apt: pkg={{ item }} state=installed with_items: - denyhosts - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty tags: denyhosts - name: ensure CM can access the VMs action: | lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.18$" line="sshd: 146.48.123.18" - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty tags: denyhosts - name: ensure Monitoring can connect via ssh action: | lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.23$" line="sshd: 146.48.123.23" - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty tags: denyhosts - name: Set the treshold for root on the denyhosts config file lineinfile: | name=/etc/denyhosts.conf regexp="^DENY_THRESHOLD_ROOT = " line="DENY_THRESHOLD_ROOT = 5" - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty notify: Restart denyhosts tags: denyhosts diff --git a/ubuntu-deb-general/tasks/install_external_ca_cert.yml b/ubuntu-deb-general/tasks/install_external_ca_cert.yml index b74e0354..0be2a9e4 100644 --- a/ubuntu-deb-general/tasks/install_external_ca_cert.yml +++ b/ubuntu-deb-general/tasks/install_external_ca_cert.yml @@ -1,6 +1,8 @@ --- -- name: Install the INFN CA certificate - get_url: url=https://security.fi.infn.it/CA/mgt/INFNCA.pem dest=/etc/ssl/certs/infn-ca.pem - tags: - - ca +- name: Install the additional CA certificates + get_url: url={{ item.url }} dest={{ item.dest_file }} + with_items: x509_additional_ca_certs + when: install_additional_ca_certs + notify: Update the CA bundle list + tags: ca diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml index 2ba84e34..ade07398 100644 --- a/ubuntu-deb-general/tasks/main.yml +++ b/ubuntu-deb-general/tasks/main.yml @@ -3,15 +3,16 @@ - include: resolvconf.yml when: install_resolvconf - include: packages.yml +- include: ntp.yml - include: remove-unneeded-pkgs.yml - include: manage-ipv6-status.yml when: is_not_debian_less_than_6 - include: disable-ipv6-old-servers.yml when: disable_ipv6 - include: denyhost.yml - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty + when: is_debian_7_or_older +- include: denyhost.yml + when: is_ubuntu_less_than_trusty - include: munin.yml when: configure_munin - include: pubkeys.yml diff --git a/ubuntu-deb-general/tasks/ntp.yml b/ubuntu-deb-general/tasks/ntp.yml new file mode 100644 index 00000000..46a6692c --- /dev/null +++ b/ubuntu-deb-general/tasks/ntp.yml @@ -0,0 +1,9 @@ +--- +- name: Install the ntp server + apt: pkg=ntp state={{ pkg_state }} + tags: [ 'packages', 'ntp' ] + +- name: Ensure that the ntp server is running + service: name=ntp state=started enabled=yes + tags: [ 'packages', 'ntp' ] + diff --git a/ubuntu-deb-general/tasks/packages.yml b/ubuntu-deb-general/tasks/packages.yml index 952e29aa..005214a2 100644 --- a/ubuntu-deb-general/tasks/packages.yml +++ b/ubuntu-deb-general/tasks/packages.yml @@ -28,66 +28,60 @@ apt_repository: repo='deb http://http.debian.net/debian-backports squeeze-backports main' state=present register: update_apt_cache when: is_debian6 - tags: - - squeeze-backports - -- name: Install the squeeze-lts repository on debian 6 - apt_repository: repo='deb http://http.debian.net/debian squeeze-lts main contrib non-free' state=present - register: update_apt_cache - when: is_debian6 - tags: - - squeeze-lts + tags: squeeze-backports - name: Install the backports repository on debian 7 apt_repository: repo='deb http://http.debian.net/debian wheezy-backports main' state=present register: update_apt_cache when: is_debian7 - tags: - - wheezy-backports + tags: wheezy-backports - name: Install the backports repository on debian 8 apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present register: update_apt_cache when: is_debian8 - tags: - - wheezy-backports + tags: jessie-backports + +# Debian 7 “Wheezy” from February 2016 to May 2018 +# Debian 8 “Jessie“ from May 2018 to April/May 2020 +- name: Install the squeeze-lts repository on debian 6 + apt_repository: repo='deb http://http.debian.net/debian squeeze-lts main contrib non-free' state=present + register: update_apt_cache + when: is_debian6 + tags: squeeze-lts + +# - name: Install the wheezy-lts repository on debian 7 +# apt_repository: repo='deb http://http.debian.net/debian wheezy-lts main contrib non-free' state=present +# register: update_apt_cache +# when: is_debian7 +# tags: wheeze-lts - name: apt key for the internal ppa repository apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present when: is_ubuntu - tags: - - packages + tags: packages - name: setup system apt repository apt_repository: repo='deb http://ppa.research-infrastructures.eu/system stable main' register: update_apt_cache when: is_ubuntu - tags: - - packages + tags: packages - name: Update the apt cache apt: update_cache=yes when: update_apt_cache.changed ignore_errors: True - tags: - - packages + tags: packages - name: install common packages - apt: pkg={{ item }} state=installed + apt: pkg={{ item }} state={{ pkg_state }} when: has_apt with_items: common_packages - tags: - - packages + tags: [ 'packages', 'common_pkgs' ] -- name: Install the ntp server - apt: pkg=ntp state=installed - tags: - - packages - - ntp - -- name: Ensure that the ntp server is running - service: name=ntp state=started - tags: - - packages - - ntp +- name: Install additional packages, if any + apt: pkg={{ item }} state={{ pkg_state }} + with_items: additional_packages + when: additional_packages is defined + tags: [ 'packages', 'common_pkgs', 'additional_packages' ] diff --git a/vagrant/defaults/main.yml b/vagrant/defaults/main.yml new file mode 100644 index 00000000..9bbd268c --- /dev/null +++ b/vagrant/defaults/main.yml @@ -0,0 +1,11 @@ +--- +vagrant_install: False +vagrant_package_from_site: False +vagrant_site_version: 1.7.4 +vagrant_url: 'https://dl.bintray.com/mitchellh/vagrant/vagrant_{{ vagrant_site_version }}_x86_64.deb' +virtualbox_version: 5.0 + +vagrant_package_list: + - 'linux-headers-{{ ansible_kernel }}' + - 'virtualbox-{{ virtualbox_version }}' + diff --git a/vagrant/tasks/main.yml b/vagrant/tasks/main.yml new file mode 100644 index 00000000..24cf35ba --- /dev/null +++ b/vagrant/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Get the package from the vagrant site + get_url: url='{{ vagrant_url }}' dest=/opt/vagrant_{{ vagrant_site_version }}_x86_64.deb + when: vagrant_package_from_site + tags: [ 'vagrant', 'virtualbox' ] + +- name: Install the virtualbox repository key + apt_key: url=https://www.virtualbox.org/download/oracle_vbox.asc state=present + when: vagrant_package_from_site + tags: [ 'vagrant', 'virtualbox' ] + +- name: Install the virtualbox repository + apt_repository: repo='deb http://download.virtualbox.org/virtualbox/debian {{ ansible_distribution_release }} contrib' state=present update_cache=yes + when: vagrant_package_from_site + tags: [ 'vagrant', 'virtualbox' ] + +- name: Install the virtualbox package and vagrant requirements + apt: name={{ item }} state={{ pkg_state }} + with_items: vagrant_package_list + tags: [ 'vagrant', 'virtualbox' ] + +- name: Install the package from the vagrant site + apt: deb=/opt/vagrant_{{ vagrant_site_version }}_x86_64.deb + when: vagrant_package_from_site + tags: [ 'vagrant', 'virtualbox' ] +