library/roles/iptables/tasks/main.yml: ugly fix for the distribution versions mess.

library/roles/oracle-jdk/tasks/main.yml: now it installs on debian too. library/roles/php-fpm: Support saving sessions on memcache. Needs memcache (there's a role for it). library/roles/postfix-relay: Now it can be configured to permit unencrypted connections from the local clients. library/roles/users: Fix the sudo stuff.
2015-09-03 02:36:22 +02:00 · 2015-09-03 02:36:22 +02:00 · 9e5653f85d
parent 3390920d0f
commit 9e5653f85d
15 changed files with 102 additions and 45 deletions
--- a/iptables/tasks/main.yml
+++ b/iptables/tasks/main.yml
@ -17,12 +17,34 @@
    - iptables
    - iptables_rules

- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used
+- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise
  template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
  with_items:
    - rules.v4
    - rules.v6
-  when: ( is_precise ) or ( is_trusty ) or ( is_debian7 )
+  when: is_precise
+  notify: Start the iptables service
+  tags:
+    - iptables
+    - iptables_rules
+
+- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
+  template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
+  with_items:
+    - rules.v4
+    - rules.v6
+  when: is_trusty
+  notify: Start the iptables service
+  tags:
+    - iptables
+    - iptables_rules
+
+- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
+  template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
+  with_items:
+    - rules.v4
+    - rules.v6
+  when: is_debian7
  notify: Start the iptables service
  tags:
    - iptables
--- a/memcached/defaults/main.yml
+++ b/memcached/defaults/main.yml
@ -7,4 +7,4 @@ mc_user: memcached
 mc_maxconn: 1024
 mc_cachesize: 256
 mc_options: ""
-mc_ipaddress: 127.0.0.1
+mc_ipaddress: 127.0.0.1
--- a/oracle-jdk/tasks/main.yml
+++ b/oracle-jdk/tasks/main.yml
@ -1,6 +1,13 @@
 ---
- name: setup the Oracle JDK repository
-  apt_repository: repo='ppa:webupd8team/java'
+- name: setup the Oracle JDK repository on ubuntu
+  apt_repository: repo='ppa:webupd8team/java' state=present
+  when: is_ubuntu
+  register: update_apt_cache
+  tags: jdk
+
+- name: setup the Oracle JDK repository on debian
+  apt_repository: repo='deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main' state=present
+  when: is_debian
  register: update_apt_cache
  tags: jdk

--- a/php-fpm/defaults/main.yml
+++ b/php-fpm/defaults/main.yml
@ -54,7 +54,14 @@ phpfpm_default_slowlog_timeout: "20s"
 phpfpm_default_rlimit_files: "1024"
 phpfpm_default_extensions: ".php"
 phpfpm_default_context: '/'
-phpfpm_session_prefix: '/var/lib/php5'
+phpfpm_default_session_handler: 'files'
+phpfpm_default_session_prefix: '/var/lib/php5'
+phpfpm_session_prefix: '{{ phpfpm_default_session_prefix }}'
+
+phpfpm_use_memcache_redundancy_sessions: False
+phpfpm_use_memcached_redundancy_sessions: False
+memcache_session_allow_failover: 1
+memcache_session_redundancy: 3

 phpfpm_pools:
  - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}' }
--- a/php-fpm/tasks/main.yml
+++ b/php-fpm/tasks/main.yml
@ -14,6 +14,22 @@
    - php
    - php_ini

+- name: Activate the memcache redundancy if we use it
+  ini_file: dest={{ phpfpm_base_dir }}/php.ini section=memcache option=memcache.allow_failover value={{ memcache_session_allow_failover }}
+  when: phpfpm_use_memcache_redundancy_sessions
+  notify: Reload php-fpm
+  tags:
+    - php
+    - php_ini
+
+- name: Set the memcache redundancy servers
+  ini_file: dest={{ phpfpm_base_dir }}/php.ini section=memcache option=memcache.session_redundancy value={{ memcache_session_redundancy }}
+  when: phpfpm_use_memcache_redundancy_sessions
+  notify: Reload php-fpm
+  tags:
+    - php
+    - php_ini
+
 - name: remove php-fpm default pool
  file: dest={{ phpfpm_base_dir }}/pool.d/www.conf state=absent
  when: phpfpm_remove_default_pool
--- a/php-fpm/templates/php-fpm-pool.conf.j2
+++ b/php-fpm/templates/php-fpm-pool.conf.j2
@ -288,6 +288,17 @@ php_admin_flag[log_errors] = {{ item.log_errors }}
 php_admin_value[memory_limit] = {{ item.memory_limit }}

 ; Set session path to a directory owned by process user
-php_value[session.save_handler] = files
-php_value[session.save_path] = {{ phpfpm_session_prefix }}/{{ item.pool_name }}
-
+{% if item.session_save_handler is defined %}
+php_value[session.save_handler] = '{{ item.session_save_handler }}'
+{% else %}
+php_value[session.save_handler] = '{{ phpfpm_default_session_handler }}'
+{% endif %}
+{% if item.session_save_path is defined %}
+php_value[session.save_path] = '{{ item.session_save_path }}'
+{% else %}
+{% if phpfpm_session_save_path is defined %}
+php_value[session.save_path] = '{{ phpfpm_session_save_path }}'
+{% else %}
+php_value[session.save_path] = '{{ phpfpm_default_session_prefix }}/{{ item.pool_name }}'
+{% endif %}
+{% endif %}
--- a/postfix-relay/defaults/main.yml
+++ b/postfix-relay/defaults/main.yml
@ -5,6 +5,10 @@ postfix_biff: "no"
 postfix_append_dot_mydomain: "no"
 postfix_use_relay_host: True

+# Accepted values: none, may, encrypt
+postfix_smtpd_tls_security_level: encrypt
+# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
+postfix_smtp_tls_security_level: encrypt
 postfix_use_sasl_auth: True
 postfix_smtp_sasl_auth_enable: "yes"
 postfix_smtp_create_relay_user: True
--- a/postfix-relay/tasks/main.yml
+++ b/postfix-relay/tasks/main.yml
@ -1,6 +1,5 @@
 ---
 - include: smtp-common-packages.yml
-  when: postfix_relay_client
 - include: smtp-sasl-auth.yml
  when:
    - postfix_use_sasl_auth
--- a/postfix-relay/tasks/postfix-relay-server.yml
+++ b/postfix-relay/tasks/postfix-relay-server.yml
@ -1,54 +1,40 @@
 ---
 - name: Write the network hash file
  template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444
-  when: postfix_relay_server
  notify: Update the network hash table
  tags:
    - postfix-relay

- name: Activate the submission port on the postfix master file
-  template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
-  when: postfix_relay_server
-  notify: Restart postfix
-  tags:
-    - postfix-relay
-  
 - name: Install the sasl2 authentication infrastructure
  apt: pkg={{ item }} state=installed
  with_items: postfix_sasl_packages
-  when: postfix_relay_server
  tags:
    - postfix-relay

 - name: Create the sasl directory inside /etc/postfix
  file: dest=/etc/postfix/sasl state=directory owner=root group=root mode=0555
-  when: postfix_relay_server
  tags:
    - postfix-relay

 - name: Install the smtpd.conf file inside inside /etc/postfix/sasl
  copy: src=sasl_smtpd.conf dest=/etc/postfix/sasl/smtpd.conf owner=root group=root mode=0444
-  when: postfix_relay_server
  tags:
    - postfix-relay

 - name: Enable the saslauth daemon
  action: configfile path=/etc/default/saslauthd key=START value='yes' syntax=shell
-  when: postfix_relay_server
  notify: start saslauth daemon
  tags:
    - postfix-relay

 - name: Change the socket path because postfix on debian runs inside a chroot jail
  action: configfile path=/etc/default/saslauthd key=OPTIONS value='"-c -m /var/spool/postfix/var/run/saslauthd"' syntax=shell
-  when: postfix_relay_server
  notify: restart saslauth daemon
  tags:
    - postfix-relay

 - name: Assign the sasl group to the postfix user so that postfix can use the saslauthd socket
  user: name=postfix groups='sasl'
-  when: postfix_relay_server
  notify: Restart postfix
  tags:
    - postfix-relay
--- a/postfix-relay/tasks/smtp-common-packages.yml
+++ b/postfix-relay/tasks/smtp-common-packages.yml
@ -13,3 +13,9 @@
  tags:
    - postfix-relay

+- name: Activate the submission port on the postfix master file
+  template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
+  notify: Restart postfix
+  tags:
+    - postfix-relay
+  
--- a/postfix-relay/templates/main.cf.j2
+++ b/postfix-relay/templates/main.cf.j2
@ -23,9 +23,9 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_security_level = encrypt
 smtpd_tls_auth_only = yes
 {% endif %}
-smtpd_use_tls=yes
+smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
 # Client
-smtp_tls_security_level = encrypt
+smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
--- a/postfix-relay/templates/postfix-master.cf.j2
+++ b/postfix-relay/templates/postfix-master.cf.j2
@ -16,7 +16,7 @@ smtp      inet  n       -       -       -       -       smtpd
 #tlsproxy  unix  -       -       -       -       0       tlsproxy
 submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
-  -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
--- a/ubuntu-deb-general/defaults/main.yml
+++ b/ubuntu-deb-general/defaults/main.yml
@ -3,7 +3,6 @@
 # Use the apt proxy
 #
 use_apt_proxy: False
-apt_proxy_url: "http://apt.research-infrastructures.eu:9999"

 pkg_state: installed
 common_packages:
@ -97,24 +96,24 @@ additional_ca_dest_dir: /usr/local/share/ca-certificates
 #
 # debian/ubuntu distributions controllers
 #
-has_default_grub: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6"
+has_default_grub: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6"

 has_htop: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 10.10 or {{ ansible_distribution_version }} == 11.04 or {{ ansible_distribution_version }} == 12.04)"

-has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_lsb['major_release'] }}' >= 5"
+has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_distribution_major_version }}' >= 5"

-has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_lsb['major_release'] }} >= 8))"
+has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_distribution_major_version }} >= 8))"

 is_debian: "'{{ ansible_distribution }}' == 'Debian'"
 is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'"
 is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'"
-is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)"
-is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 5"
-is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 4"
-is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} != 6"
+is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} == 6)"
+is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} == 5"
+is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} == 4"
+is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} != 6"
 is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} <= 7"
 is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} < 6"
-is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6)"
+is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6)"

 is_hardy: "'{{ ansible_distribution_release }}' == 'hardy'"
 is_broken_hardy_lts: "'{{ ansible_distribution }}'== 'Debian' and '{{ ansible_distribution_release }}' == 'NA'"
@ -126,19 +125,19 @@ is_trusty: "'{{ ansible_distribution_release }}' == 'trusty'"
 is_ubuntu: "'{{ ansible_distribution }}' == 'Ubuntu'"
 is_not_precise: "('{{ ansible_distribution }}' == 'Ubuntu' and {{ ansible_distribution_version }} != 12.04) or '{{ ansible_distribution }}' == 'Debian'"
 is_not_trusty: "('{{ ansible_distribution }}' == 'Ubuntu' and {{ ansible_distribution_version }} != 14.04) or '{{ ansible_distribution }}' == 'Debian'"
-is_not_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} >= 12)"
-is_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 12)"
-is_ubuntu_less_than_trusty: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 14)"
+is_not_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 12)"
+is_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 12)"
+is_ubuntu_less_than_trusty: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 14)"
 # Ubuntu < 10.04 or Debian 4
 is_ubuntu_between_8_and_9_and_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 8.04 or {{ ansible_distribution_version }} == 8.10 or {{ ansible_distribution_version }} == 9.04)) or ({{ is_debian4 }})"
-#is_ubuntu_between_8_and_9_or_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 12) or ({{ is_debian4 }})"
+#is_ubuntu_between_8_and_9_or_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 12) or ({{ is_debian4 }})"
 is_ubuntu_between_8_and_9_or_is_debian_4: "'{{ is_ubuntu_between_8_and_9_and_is_debian_4 }}'"
 # Ubuntu between 10.04 and 11.04
 is_ubuntu_between_10_04_and_11_04: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 10.04 or {{ ansible_distribution_version }} == 10.10 or {{ ansible_distribution_version }} == 11.04)"
 # Ubuntu between 10.04 and 11.04, or Debian 6
 is_ubuntu_between_10_04_and_11_04_and_is_debian_6: "({{ is_ubuntu_between_10_04_and_11_04 }} or {{ is_debian6 }})"
 # Debian >=6
-is_debian_greater_than_5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6"
+is_debian_greater_than_5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6"

 is_trusty_or_debian7: "('{{ ansible_distribution_release }}' == 'trusty') or ('{{ ansible_distribution_release }}' == 'wheezy')"

--- a/users/defaults/main.yml
+++ b/users/defaults/main.yml
@ -10,5 +10,5 @@ users_sudoers_create_group: False
 users_sudoers_create_sudo_conf: False
 users_home_dir: /home
 #users_system_users:
-#  - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'False', log_as_root: 'False' }
+#  - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }

--- a/users/tasks/main.yml
+++ b/users/tasks/main.yml
@ -29,11 +29,11 @@
    - users

 - name: Add the admin users to the sudoers group
-  user: name={{ item.login }} groups={{ users_sudoers_group }}
+  user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes
  with_items: users_system_users
  when:
    - users_system_users is defined
-    - item.admin == 'True'
+    - item.admin
  tags:
    - users

@ -43,7 +43,7 @@
  when:
    - users_system_users is defined
    - item.ssh_key is defined
-    - ( item.log_as_root is defined ) and ( item.log_as_root == 'True' )
+    - ( item.log_as_root is defined ) and ( item.log_as_root )
  tags:
    - users