forked from ISTI-ansible-roles/ansible-roles
library/roles/iptables/tasks/main.yml: ugly fix for the distribution versions mess.
library/roles/oracle-jdk/tasks/main.yml: now it installs on debian too. library/roles/php-fpm: Support saving sessions on memcache. Needs memcache (there's a role for it). library/roles/postfix-relay: Now it can be configured to permit unencrypted connections from the local clients. library/roles/users: Fix the sudo stuff.
This commit is contained in:
parent
3390920d0f
commit
9e5653f85d
|
@ -17,12 +17,34 @@
|
|||
- iptables
|
||||
- iptables_rules
|
||||
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when: ( is_precise ) or ( is_trusty ) or ( is_debian7 )
|
||||
when: is_precise
|
||||
notify: Start the iptables service
|
||||
tags:
|
||||
- iptables
|
||||
- iptables_rules
|
||||
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when: is_trusty
|
||||
notify: Start the iptables service
|
||||
tags:
|
||||
- iptables
|
||||
- iptables_rules
|
||||
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when: is_debian7
|
||||
notify: Start the iptables service
|
||||
tags:
|
||||
- iptables
|
||||
|
|
|
@ -7,4 +7,4 @@ mc_user: memcached
|
|||
mc_maxconn: 1024
|
||||
mc_cachesize: 256
|
||||
mc_options: ""
|
||||
mc_ipaddress: 127.0.0.1
|
||||
mc_ipaddress: 127.0.0.1
|
||||
|
|
|
@ -1,6 +1,13 @@
|
|||
---
|
||||
- name: setup the Oracle JDK repository
|
||||
apt_repository: repo='ppa:webupd8team/java'
|
||||
- name: setup the Oracle JDK repository on ubuntu
|
||||
apt_repository: repo='ppa:webupd8team/java' state=present
|
||||
when: is_ubuntu
|
||||
register: update_apt_cache
|
||||
tags: jdk
|
||||
|
||||
- name: setup the Oracle JDK repository on debian
|
||||
apt_repository: repo='deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main' state=present
|
||||
when: is_debian
|
||||
register: update_apt_cache
|
||||
tags: jdk
|
||||
|
||||
|
|
|
@ -54,7 +54,14 @@ phpfpm_default_slowlog_timeout: "20s"
|
|||
phpfpm_default_rlimit_files: "1024"
|
||||
phpfpm_default_extensions: ".php"
|
||||
phpfpm_default_context: '/'
|
||||
phpfpm_session_prefix: '/var/lib/php5'
|
||||
phpfpm_default_session_handler: 'files'
|
||||
phpfpm_default_session_prefix: '/var/lib/php5'
|
||||
phpfpm_session_prefix: '{{ phpfpm_default_session_prefix }}'
|
||||
|
||||
phpfpm_use_memcache_redundancy_sessions: False
|
||||
phpfpm_use_memcached_redundancy_sessions: False
|
||||
memcache_session_allow_failover: 1
|
||||
memcache_session_redundancy: 3
|
||||
|
||||
phpfpm_pools:
|
||||
- { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}' }
|
||||
|
|
|
@ -14,6 +14,22 @@
|
|||
- php
|
||||
- php_ini
|
||||
|
||||
- name: Activate the memcache redundancy if we use it
|
||||
ini_file: dest={{ phpfpm_base_dir }}/php.ini section=memcache option=memcache.allow_failover value={{ memcache_session_allow_failover }}
|
||||
when: phpfpm_use_memcache_redundancy_sessions
|
||||
notify: Reload php-fpm
|
||||
tags:
|
||||
- php
|
||||
- php_ini
|
||||
|
||||
- name: Set the memcache redundancy servers
|
||||
ini_file: dest={{ phpfpm_base_dir }}/php.ini section=memcache option=memcache.session_redundancy value={{ memcache_session_redundancy }}
|
||||
when: phpfpm_use_memcache_redundancy_sessions
|
||||
notify: Reload php-fpm
|
||||
tags:
|
||||
- php
|
||||
- php_ini
|
||||
|
||||
- name: remove php-fpm default pool
|
||||
file: dest={{ phpfpm_base_dir }}/pool.d/www.conf state=absent
|
||||
when: phpfpm_remove_default_pool
|
||||
|
|
|
@ -288,6 +288,17 @@ php_admin_flag[log_errors] = {{ item.log_errors }}
|
|||
php_admin_value[memory_limit] = {{ item.memory_limit }}
|
||||
|
||||
; Set session path to a directory owned by process user
|
||||
php_value[session.save_handler] = files
|
||||
php_value[session.save_path] = {{ phpfpm_session_prefix }}/{{ item.pool_name }}
|
||||
|
||||
{% if item.session_save_handler is defined %}
|
||||
php_value[session.save_handler] = '{{ item.session_save_handler }}'
|
||||
{% else %}
|
||||
php_value[session.save_handler] = '{{ phpfpm_default_session_handler }}'
|
||||
{% endif %}
|
||||
{% if item.session_save_path is defined %}
|
||||
php_value[session.save_path] = '{{ item.session_save_path }}'
|
||||
{% else %}
|
||||
{% if phpfpm_session_save_path is defined %}
|
||||
php_value[session.save_path] = '{{ phpfpm_session_save_path }}'
|
||||
{% else %}
|
||||
php_value[session.save_path] = '{{ phpfpm_default_session_prefix }}/{{ item.pool_name }}'
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -5,6 +5,10 @@ postfix_biff: "no"
|
|||
postfix_append_dot_mydomain: "no"
|
||||
postfix_use_relay_host: True
|
||||
|
||||
# Accepted values: none, may, encrypt
|
||||
postfix_smtpd_tls_security_level: encrypt
|
||||
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
|
||||
postfix_smtp_tls_security_level: encrypt
|
||||
postfix_use_sasl_auth: True
|
||||
postfix_smtp_sasl_auth_enable: "yes"
|
||||
postfix_smtp_create_relay_user: True
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
- include: smtp-common-packages.yml
|
||||
when: postfix_relay_client
|
||||
- include: smtp-sasl-auth.yml
|
||||
when:
|
||||
- postfix_use_sasl_auth
|
||||
|
|
|
@ -1,54 +1,40 @@
|
|||
---
|
||||
- name: Write the network hash file
|
||||
template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444
|
||||
when: postfix_relay_server
|
||||
notify: Update the network hash table
|
||||
tags:
|
||||
- postfix-relay
|
||||
|
||||
- name: Activate the submission port on the postfix master file
|
||||
template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
|
||||
when: postfix_relay_server
|
||||
notify: Restart postfix
|
||||
tags:
|
||||
- postfix-relay
|
||||
|
||||
- name: Install the sasl2 authentication infrastructure
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items: postfix_sasl_packages
|
||||
when: postfix_relay_server
|
||||
tags:
|
||||
- postfix-relay
|
||||
|
||||
- name: Create the sasl directory inside /etc/postfix
|
||||
file: dest=/etc/postfix/sasl state=directory owner=root group=root mode=0555
|
||||
when: postfix_relay_server
|
||||
tags:
|
||||
- postfix-relay
|
||||
|
||||
- name: Install the smtpd.conf file inside inside /etc/postfix/sasl
|
||||
copy: src=sasl_smtpd.conf dest=/etc/postfix/sasl/smtpd.conf owner=root group=root mode=0444
|
||||
when: postfix_relay_server
|
||||
tags:
|
||||
- postfix-relay
|
||||
|
||||
- name: Enable the saslauth daemon
|
||||
action: configfile path=/etc/default/saslauthd key=START value='yes' syntax=shell
|
||||
when: postfix_relay_server
|
||||
notify: start saslauth daemon
|
||||
tags:
|
||||
- postfix-relay
|
||||
|
||||
- name: Change the socket path because postfix on debian runs inside a chroot jail
|
||||
action: configfile path=/etc/default/saslauthd key=OPTIONS value='"-c -m /var/spool/postfix/var/run/saslauthd"' syntax=shell
|
||||
when: postfix_relay_server
|
||||
notify: restart saslauth daemon
|
||||
tags:
|
||||
- postfix-relay
|
||||
|
||||
- name: Assign the sasl group to the postfix user so that postfix can use the saslauthd socket
|
||||
user: name=postfix groups='sasl'
|
||||
when: postfix_relay_server
|
||||
notify: Restart postfix
|
||||
tags:
|
||||
- postfix-relay
|
||||
|
|
|
@ -13,3 +13,9 @@
|
|||
tags:
|
||||
- postfix-relay
|
||||
|
||||
- name: Activate the submission port on the postfix master file
|
||||
template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
|
||||
notify: Restart postfix
|
||||
tags:
|
||||
- postfix-relay
|
||||
|
||||
|
|
|
@ -23,9 +23,9 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|||
smtpd_tls_security_level = encrypt
|
||||
smtpd_tls_auth_only = yes
|
||||
{% endif %}
|
||||
smtpd_use_tls=yes
|
||||
smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
|
||||
# Client
|
||||
smtp_tls_security_level = encrypt
|
||||
smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
|
||||
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
||||
|
|
|
@ -16,7 +16,7 @@ smtp inet n - - - - smtpd
|
|||
#tlsproxy unix - - - - 0 tlsproxy
|
||||
submission inet n - - - - smtpd
|
||||
-o syslog_name=postfix/submission
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
# -o smtpd_reject_unlisted_recipient=no
|
||||
# -o smtpd_client_restrictions=$mua_client_restrictions
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
# Use the apt proxy
|
||||
#
|
||||
use_apt_proxy: False
|
||||
apt_proxy_url: "http://apt.research-infrastructures.eu:9999"
|
||||
|
||||
pkg_state: installed
|
||||
common_packages:
|
||||
|
@ -97,24 +96,24 @@ additional_ca_dest_dir: /usr/local/share/ca-certificates
|
|||
#
|
||||
# debian/ubuntu distributions controllers
|
||||
#
|
||||
has_default_grub: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6"
|
||||
has_default_grub: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6"
|
||||
|
||||
has_htop: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 10.10 or {{ ansible_distribution_version }} == 11.04 or {{ ansible_distribution_version }} == 12.04)"
|
||||
|
||||
has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_lsb['major_release'] }}' >= 5"
|
||||
has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_distribution_major_version }}' >= 5"
|
||||
|
||||
has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_lsb['major_release'] }} >= 8))"
|
||||
has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_distribution_major_version }} >= 8))"
|
||||
|
||||
is_debian: "'{{ ansible_distribution }}' == 'Debian'"
|
||||
is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'"
|
||||
is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'"
|
||||
is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)"
|
||||
is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 5"
|
||||
is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 4"
|
||||
is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} != 6"
|
||||
is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} == 6)"
|
||||
is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} == 5"
|
||||
is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} == 4"
|
||||
is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} != 6"
|
||||
is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} <= 7"
|
||||
is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} < 6"
|
||||
is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6)"
|
||||
is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6)"
|
||||
|
||||
is_hardy: "'{{ ansible_distribution_release }}' == 'hardy'"
|
||||
is_broken_hardy_lts: "'{{ ansible_distribution }}'== 'Debian' and '{{ ansible_distribution_release }}' == 'NA'"
|
||||
|
@ -126,19 +125,19 @@ is_trusty: "'{{ ansible_distribution_release }}' == 'trusty'"
|
|||
is_ubuntu: "'{{ ansible_distribution }}' == 'Ubuntu'"
|
||||
is_not_precise: "('{{ ansible_distribution }}' == 'Ubuntu' and {{ ansible_distribution_version }} != 12.04) or '{{ ansible_distribution }}' == 'Debian'"
|
||||
is_not_trusty: "('{{ ansible_distribution }}' == 'Ubuntu' and {{ ansible_distribution_version }} != 14.04) or '{{ ansible_distribution }}' == 'Debian'"
|
||||
is_not_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} >= 12)"
|
||||
is_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 12)"
|
||||
is_ubuntu_less_than_trusty: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 14)"
|
||||
is_not_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 12)"
|
||||
is_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 12)"
|
||||
is_ubuntu_less_than_trusty: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 14)"
|
||||
# Ubuntu < 10.04 or Debian 4
|
||||
is_ubuntu_between_8_and_9_and_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 8.04 or {{ ansible_distribution_version }} == 8.10 or {{ ansible_distribution_version }} == 9.04)) or ({{ is_debian4 }})"
|
||||
#is_ubuntu_between_8_and_9_or_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 12) or ({{ is_debian4 }})"
|
||||
#is_ubuntu_between_8_and_9_or_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 12) or ({{ is_debian4 }})"
|
||||
is_ubuntu_between_8_and_9_or_is_debian_4: "'{{ is_ubuntu_between_8_and_9_and_is_debian_4 }}'"
|
||||
# Ubuntu between 10.04 and 11.04
|
||||
is_ubuntu_between_10_04_and_11_04: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 10.04 or {{ ansible_distribution_version }} == 10.10 or {{ ansible_distribution_version }} == 11.04)"
|
||||
# Ubuntu between 10.04 and 11.04, or Debian 6
|
||||
is_ubuntu_between_10_04_and_11_04_and_is_debian_6: "({{ is_ubuntu_between_10_04_and_11_04 }} or {{ is_debian6 }})"
|
||||
# Debian >=6
|
||||
is_debian_greater_than_5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6"
|
||||
is_debian_greater_than_5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6"
|
||||
|
||||
is_trusty_or_debian7: "('{{ ansible_distribution_release }}' == 'trusty') or ('{{ ansible_distribution_release }}' == 'wheezy')"
|
||||
|
||||
|
|
|
@ -10,5 +10,5 @@ users_sudoers_create_group: False
|
|||
users_sudoers_create_sudo_conf: False
|
||||
users_home_dir: /home
|
||||
#users_system_users:
|
||||
# - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'False', log_as_root: 'False' }
|
||||
# - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }
|
||||
|
||||
|
|
|
@ -29,11 +29,11 @@
|
|||
- users
|
||||
|
||||
- name: Add the admin users to the sudoers group
|
||||
user: name={{ item.login }} groups={{ users_sudoers_group }}
|
||||
user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes
|
||||
with_items: users_system_users
|
||||
when:
|
||||
- users_system_users is defined
|
||||
- item.admin == 'True'
|
||||
- item.admin
|
||||
tags:
|
||||
- users
|
||||
|
||||
|
@ -43,7 +43,7 @@
|
|||
when:
|
||||
- users_system_users is defined
|
||||
- item.ssh_key is defined
|
||||
- ( item.log_as_root is defined ) and ( item.log_as_root == 'True' )
|
||||
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
||||
tags:
|
||||
- users
|
||||
|
||||
|
|
Loading…
Reference in New Issue