library/roles/iptables/tasks/main.yml: ugly fix for the distribution versions mess.

library/roles/oracle-jdk/tasks/main.yml: now it installs on debian too.
library/roles/php-fpm: Support saving sessions on memcache. Needs memcache (there's a role for it).
library/roles/postfix-relay: Now it can be configured to permit unencrypted connections from the local clients.
library/roles/users: Fix the sudo stuff.
This commit is contained in:
Andrea Dell'Amico 2015-09-03 02:36:22 +02:00
parent 3390920d0f
commit 9e5653f85d
15 changed files with 102 additions and 45 deletions

View File

@ -17,12 +17,34 @@
- iptables
- iptables_rules
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: ( is_precise ) or ( is_trusty ) or ( is_debian7 )
when: is_precise
notify: Start the iptables service
tags:
- iptables
- iptables_rules
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_trusty
notify: Start the iptables service
tags:
- iptables
- iptables_rules
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_debian7
notify: Start the iptables service
tags:
- iptables

View File

@ -7,4 +7,4 @@ mc_user: memcached
mc_maxconn: 1024
mc_cachesize: 256
mc_options: ""
mc_ipaddress: 127.0.0.1
mc_ipaddress: 127.0.0.1

View File

@ -1,6 +1,13 @@
---
- name: setup the Oracle JDK repository
apt_repository: repo='ppa:webupd8team/java'
- name: setup the Oracle JDK repository on ubuntu
apt_repository: repo='ppa:webupd8team/java' state=present
when: is_ubuntu
register: update_apt_cache
tags: jdk
- name: setup the Oracle JDK repository on debian
apt_repository: repo='deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main' state=present
when: is_debian
register: update_apt_cache
tags: jdk

View File

@ -54,7 +54,14 @@ phpfpm_default_slowlog_timeout: "20s"
phpfpm_default_rlimit_files: "1024"
phpfpm_default_extensions: ".php"
phpfpm_default_context: '/'
phpfpm_session_prefix: '/var/lib/php5'
phpfpm_default_session_handler: 'files'
phpfpm_default_session_prefix: '/var/lib/php5'
phpfpm_session_prefix: '{{ phpfpm_default_session_prefix }}'
phpfpm_use_memcache_redundancy_sessions: False
phpfpm_use_memcached_redundancy_sessions: False
memcache_session_allow_failover: 1
memcache_session_redundancy: 3
phpfpm_pools:
- { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}' }

View File

@ -14,6 +14,22 @@
- php
- php_ini
- name: Activate the memcache redundancy if we use it
ini_file: dest={{ phpfpm_base_dir }}/php.ini section=memcache option=memcache.allow_failover value={{ memcache_session_allow_failover }}
when: phpfpm_use_memcache_redundancy_sessions
notify: Reload php-fpm
tags:
- php
- php_ini
- name: Set the memcache redundancy servers
ini_file: dest={{ phpfpm_base_dir }}/php.ini section=memcache option=memcache.session_redundancy value={{ memcache_session_redundancy }}
when: phpfpm_use_memcache_redundancy_sessions
notify: Reload php-fpm
tags:
- php
- php_ini
- name: remove php-fpm default pool
file: dest={{ phpfpm_base_dir }}/pool.d/www.conf state=absent
when: phpfpm_remove_default_pool

View File

@ -288,6 +288,17 @@ php_admin_flag[log_errors] = {{ item.log_errors }}
php_admin_value[memory_limit] = {{ item.memory_limit }}
; Set session path to a directory owned by process user
php_value[session.save_handler] = files
php_value[session.save_path] = {{ phpfpm_session_prefix }}/{{ item.pool_name }}
{% if item.session_save_handler is defined %}
php_value[session.save_handler] = '{{ item.session_save_handler }}'
{% else %}
php_value[session.save_handler] = '{{ phpfpm_default_session_handler }}'
{% endif %}
{% if item.session_save_path is defined %}
php_value[session.save_path] = '{{ item.session_save_path }}'
{% else %}
{% if phpfpm_session_save_path is defined %}
php_value[session.save_path] = '{{ phpfpm_session_save_path }}'
{% else %}
php_value[session.save_path] = '{{ phpfpm_default_session_prefix }}/{{ item.pool_name }}'
{% endif %}
{% endif %}

View File

@ -5,6 +5,10 @@ postfix_biff: "no"
postfix_append_dot_mydomain: "no"
postfix_use_relay_host: True
# Accepted values: none, may, encrypt
postfix_smtpd_tls_security_level: encrypt
# Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
postfix_smtp_tls_security_level: encrypt
postfix_use_sasl_auth: True
postfix_smtp_sasl_auth_enable: "yes"
postfix_smtp_create_relay_user: True

View File

@ -1,6 +1,5 @@
---
- include: smtp-common-packages.yml
when: postfix_relay_client
- include: smtp-sasl-auth.yml
when:
- postfix_use_sasl_auth

View File

@ -1,54 +1,40 @@
---
- name: Write the network hash file
template: src=network_table.j2 dest=/etc/postfix/network_table owner=root group=root mode=0444
when: postfix_relay_server
notify: Update the network hash table
tags:
- postfix-relay
- name: Activate the submission port on the postfix master file
template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
when: postfix_relay_server
notify: Restart postfix
tags:
- postfix-relay
- name: Install the sasl2 authentication infrastructure
apt: pkg={{ item }} state=installed
with_items: postfix_sasl_packages
when: postfix_relay_server
tags:
- postfix-relay
- name: Create the sasl directory inside /etc/postfix
file: dest=/etc/postfix/sasl state=directory owner=root group=root mode=0555
when: postfix_relay_server
tags:
- postfix-relay
- name: Install the smtpd.conf file inside inside /etc/postfix/sasl
copy: src=sasl_smtpd.conf dest=/etc/postfix/sasl/smtpd.conf owner=root group=root mode=0444
when: postfix_relay_server
tags:
- postfix-relay
- name: Enable the saslauth daemon
action: configfile path=/etc/default/saslauthd key=START value='yes' syntax=shell
when: postfix_relay_server
notify: start saslauth daemon
tags:
- postfix-relay
- name: Change the socket path because postfix on debian runs inside a chroot jail
action: configfile path=/etc/default/saslauthd key=OPTIONS value='"-c -m /var/spool/postfix/var/run/saslauthd"' syntax=shell
when: postfix_relay_server
notify: restart saslauth daemon
tags:
- postfix-relay
- name: Assign the sasl group to the postfix user so that postfix can use the saslauthd socket
user: name=postfix groups='sasl'
when: postfix_relay_server
notify: Restart postfix
tags:
- postfix-relay

View File

@ -13,3 +13,9 @@
tags:
- postfix-relay
- name: Activate the submission port on the postfix master file
template: src=postfix-master.cf.j2 dest=/etc/postfix/master.cf owner=root group=root mode=0444
notify: Restart postfix
tags:
- postfix-relay

View File

@ -23,9 +23,9 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
{% endif %}
smtpd_use_tls=yes
smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
# Client
smtp_tls_security_level = encrypt
smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

View File

@ -16,7 +16,7 @@ smtp inet n - - - - smtpd
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions

View File

@ -3,7 +3,6 @@
# Use the apt proxy
#
use_apt_proxy: False
apt_proxy_url: "http://apt.research-infrastructures.eu:9999"
pkg_state: installed
common_packages:
@ -97,24 +96,24 @@ additional_ca_dest_dir: /usr/local/share/ca-certificates
#
# debian/ubuntu distributions controllers
#
has_default_grub: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6"
has_default_grub: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6"
has_htop: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 10.10 or {{ ansible_distribution_version }} == 11.04 or {{ ansible_distribution_version }} == 12.04)"
has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_lsb['major_release'] }}' >= 5"
has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_distribution_major_version }}' >= 5"
has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_lsb['major_release'] }} >= 8))"
has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_distribution_major_version }} >= 8))"
is_debian: "'{{ ansible_distribution }}' == 'Debian'"
is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'"
is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'"
is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)"
is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 5"
is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 4"
is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} != 6"
is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} == 6)"
is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} == 5"
is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} == 4"
is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} != 6"
is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} <= 7"
is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} < 6"
is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6)"
is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6)"
is_hardy: "'{{ ansible_distribution_release }}' == 'hardy'"
is_broken_hardy_lts: "'{{ ansible_distribution }}'== 'Debian' and '{{ ansible_distribution_release }}' == 'NA'"
@ -126,19 +125,19 @@ is_trusty: "'{{ ansible_distribution_release }}' == 'trusty'"
is_ubuntu: "'{{ ansible_distribution }}' == 'Ubuntu'"
is_not_precise: "('{{ ansible_distribution }}' == 'Ubuntu' and {{ ansible_distribution_version }} != 12.04) or '{{ ansible_distribution }}' == 'Debian'"
is_not_trusty: "('{{ ansible_distribution }}' == 'Ubuntu' and {{ ansible_distribution_version }} != 14.04) or '{{ ansible_distribution }}' == 'Debian'"
is_not_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} >= 12)"
is_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 12)"
is_ubuntu_less_than_trusty: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 14)"
is_not_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 12)"
is_ubuntu_less_than_precise: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 12)"
is_ubuntu_less_than_trusty: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 14)"
# Ubuntu < 10.04 or Debian 4
is_ubuntu_between_8_and_9_and_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 8.04 or {{ ansible_distribution_version }} == 8.10 or {{ ansible_distribution_version }} == 9.04)) or ({{ is_debian4 }})"
#is_ubuntu_between_8_and_9_or_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_lsb['major_release'] }} < 12) or ({{ is_debian4 }})"
#is_ubuntu_between_8_and_9_or_is_debian_4: "('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} < 12) or ({{ is_debian4 }})"
is_ubuntu_between_8_and_9_or_is_debian_4: "'{{ is_ubuntu_between_8_and_9_and_is_debian_4 }}'"
# Ubuntu between 10.04 and 11.04
is_ubuntu_between_10_04_and_11_04: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution_version }} == 10.04 or {{ ansible_distribution_version }} == 10.10 or {{ ansible_distribution_version }} == 11.04)"
# Ubuntu between 10.04 and 11.04, or Debian 6
is_ubuntu_between_10_04_and_11_04_and_is_debian_6: "({{ is_ubuntu_between_10_04_and_11_04 }} or {{ is_debian6 }})"
# Debian >=6
is_debian_greater_than_5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6"
is_debian_greater_than_5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} >= 6"
is_trusty_or_debian7: "('{{ ansible_distribution_release }}' == 'trusty') or ('{{ ansible_distribution_release }}' == 'wheezy')"

View File

@ -10,5 +10,5 @@ users_sudoers_create_group: False
users_sudoers_create_sudo_conf: False
users_home_dir: /home
#users_system_users:
# - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'False', log_as_root: 'False' }
# - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }

View File

@ -29,11 +29,11 @@
- users
- name: Add the admin users to the sudoers group
user: name={{ item.login }} groups={{ users_sudoers_group }}
user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes
with_items: users_system_users
when:
- users_system_users is defined
- item.admin == 'True'
- item.admin
tags:
- users
@ -43,7 +43,7 @@
when:
- users_system_users is defined
- item.ssh_key is defined
- ( item.log_as_root is defined ) and ( item.log_as_root == 'True' )
- ( item.log_as_root is defined ) and ( item.log_as_root )
tags:
- users