library/roles/ubuntu-deb-general: Various fixes

fail2ban/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
 - include: fail2ban.yml
-  when: ( is_trusty ) or ( is_debian8 )
-
-
+  when:
+    - is_trusty
+    - is_debian8

ubuntu-deb-general/defaults/main.yml

@@ -5,6 +5,7 @@
 use_apt_proxy: False
 apt_proxy_url: "http://apt.research-infrastructures.eu:9999"
 
+pkg_state: installed
 common_packages:
   - acl
   - zile
@@ -25,6 +26,11 @@ common_packages:
   - bash-completion
   - sudo
 
+# Set this variable in your playbook
+# additional_packages:
+#   - pkg1
+#   - pkg2
+
 # Unattended upgrades
 unatt_allowed_origins:
   - '${distro_id}:${distro_codename}-security'
@@ -82,6 +88,10 @@ configure_munin: False
 # Manage the root ssh keys
 manage_root_ssh_keys: False
 
+install_external_ca_files: True
+external_ca_dest_dir: /etc/ssl/certs
+external_ca_list:
+  - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ external_ca_dest_dir }}/infn-ca.pem' }
 #
 # debian/ubuntu distributions controllers
 #

ubuntu-deb-general/tasks/denyhost.yml

@@ -3,33 +3,21 @@
   apt: pkg={{ item }} state=installed
   with_items:
     - denyhosts
-  when:
-    - is_debian_7_or_older
-    - is_ubuntu_less_than_trusty
   tags: denyhosts
 
 - name: ensure CM can access the VMs
   action: |
     lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.18$" line="sshd: 146.48.123.18"
-  when:
-    - is_debian_7_or_older
-    - is_ubuntu_less_than_trusty
   tags: denyhosts
 
 - name: ensure Monitoring can connect via ssh
   action: |
     lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.23$" line="sshd: 146.48.123.23"
-  when:
-    - is_debian_7_or_older
-    - is_ubuntu_less_than_trusty
   tags: denyhosts
 
 - name: Set the treshold for root on the denyhosts config file
   lineinfile: |
     name=/etc/denyhosts.conf regexp="^DENY_THRESHOLD_ROOT = " line="DENY_THRESHOLD_ROOT = 5"
-  when:
-    - is_debian_7_or_older
-    - is_ubuntu_less_than_trusty
   notify: Restart denyhosts
   tags: denyhosts 
 

ubuntu-deb-general/tasks/install_external_ca_cert.yml

@@ -1,6 +1,7 @@
 ---
 - name: Install the INFN CA certificate
-  get_url: url=https://security.fi.infn.it/CA/mgt/INFNCA.pem dest=/etc/ssl/certs/infn-ca.pem
-  tags:
-    - ca
+  get_url: url={{ item.url }} dest={{ item.dest_file }}
+  with_items: external_ca_list
+  when: install_external_ca_files
+  tags: ca
 

ubuntu-deb-general/tasks/main.yml

@@ -3,15 +3,14 @@
 - include: resolvconf.yml
   when: install_resolvconf
 - include: packages.yml
+- include: ntp.yml
 - include: remove-unneeded-pkgs.yml
 - include: manage-ipv6-status.yml
   when: is_not_debian_less_than_6
 - include: disable-ipv6-old-servers.yml
   when: disable_ipv6
 - include: denyhost.yml
-  when:
-    - is_debian_7_or_older
-    - is_ubuntu_less_than_trusty
+  when: is_debian_7_or_older or is_ubuntu_less_than_trusty
 - include: munin.yml
   when: configure_munin
 - include: pubkeys.yml

ubuntu-deb-general/tasks/ntp.yml

@@ -0,0 +1,9 @@
+---
+- name: Install the ntp server
+  apt: pkg=ntp state={{ pkg_state }}
+  tags: [ 'packages', 'ntp' ]
+
+- name: Ensure that the ntp server is running
+  service: name=ntp state=started enabled=yes
+  tags: [ 'packages', 'ntp' ]
+

ubuntu-deb-general/tasks/packages.yml

@@ -69,24 +69,16 @@
   apt: update_cache=yes
   when: update_apt_cache.changed
   ignore_errors: True
-  tags:
-    - packages
+  tags: packages
 
 - name: install common packages
-  apt: pkg={{ item }} state=installed
+  apt: pkg={{ item }} state={{ pkg_state }}
   when: has_apt
   with_items: common_packages
   tags: [ 'packages', 'common_pkgs' ]
 
-- name: Install the ntp server
-  apt: pkg=ntp state=installed
-  tags:
-    - packages
-    - ntp
-
-- name: Ensure that the ntp server is running
-  service: name=ntp state=started
-  tags:
-    - packages
-    - ntp
+- name: Install additional packages, if any
+  apt: pkg={{ item }} state={{ pkg_state }}
+  with_items: additional_packages
+  tags: [ 'packages', 'common_pkgs' ]