Various fixes to the library roles.

2015-07-13 14:17:42 +02:00 · 2015-07-13 14:17:42 +02:00 · d37840100e
parent 4fcf0c81a3
commit d37840100e
17 changed files with 117 additions and 65 deletions
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@ -3,6 +3,9 @@ haproxy_latest_release: False
 haproxy_version: 1.5
 haproxy_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
 haproxy_pkg_state: latest
+haproxy_enabled: True

 haproxy_default_port: 80
 haproxy_terminate_tls: False
+haproxy_ssl_port: 443
+haproxy_admin_port: 8880
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@ -25,3 +25,14 @@
  apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
  when: haproxy_latest_release
  tags: haproxy
+
+- name: Ensure that haproxy is enabled and started
+  service: name=haproxy state=started enabled=yes
+  when: haproxy_enabled
+  ignore_errors: True
+  tags: haproxy
+
+- name: Ensure that haproxy is stopped and disabled if needed
+  service: name=haproxy state=stopped enabled=no
+  when: not haproxy_enabled
+  tags: haproxy
--- a/iptables/handlers/main.yml
+++ b/iptables/handlers/main.yml
@ -1,6 +1,15 @@
 ---
 - name: Start the iptables service
-  service: name=iptables-persistent state=started
+  service: name=iptables-persistent state=restarted enabled=yes
+  when:
+    - is_precise
+    - is_trusty
+    - is_debian7
+  notify: Restart fail2ban
+
+- name: Start the netfilter service
+  service: name=netfilter-persistent state=restarted enabled=yes
+  when: is_debian8
  notify: Restart fail2ban

 - name: Flush the iptables rules
@ -19,7 +28,3 @@
  service: name=fail2ban state=restarted enabled=yes
  when: is_trusty

-
- name: Start the netfilter service
-  service: name=netfilter-persistent state=started
-  notify: Restart fail2ban
--- a/iptables/tasks/main.yml
+++ b/iptables/tasks/main.yml
@ -22,7 +22,10 @@
  with_items:
    - rules.v4
    - rules.v6
-  when: is_precise or is_trusty or is_debian7
+  when:
+    - is_precise
+    - is_trusty
+    - is_debian7
  notify: Start the iptables service
  tags:
    - iptables
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@ -61,6 +61,19 @@
 -A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
 {% endif %}

+{% if mysql_db_port is defined %}
+{% if mysql_listen_on_ext_int %}
+# mysql clients
+{% for db in mysql_db_data %}
+{% for ip in db.allowed_hosts %}
+-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
+{% endfor %}
+{% endfor %}
+{% endif %}
+-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
+-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
+{% endif %}
+
 {% if mongodb_allowed_hosts is defined %}
 # mongodb clients
 {% for ip in mongodb_allowed_hosts %}
--- a/mysql/defaults/main.yml
+++ b/mysql/defaults/main.yml
@ -2,6 +2,7 @@
 mysql_enabled: True
 mysql_pkg_state: present
 mysql_conf_dir: /etc/mysql/conf.d
+mysql_socket: /var/run/mysqld/mysqld.sock

 # python-mysqldb is needed by ansible to manage users and databases
 mysql_packages_list:
--- a/mysql/templates/client.cnf.j2
+++ b/mysql/templates/client.cnf.j2
@ -2,5 +2,5 @@
 [client]
 #password       = your_password
 port            = 3306
-socket          = /var/lib/mysql/mysql.sock
+socket          = {{ mysql_socket }}

--- a/mysql/templates/server.cnf.j2
+++ b/mysql/templates/server.cnf.j2
@ -3,7 +3,7 @@
 # The MariaDB server
 [mysqld]
 port            = {{ mysql_db_port }}
-socket          = /var/lib/mysql/mysql.sock
+socket          = {{ mysql_socket }}
 max_connections	= {{ mysql_db_max_connections }}
 skip-external-locking
 key_buffer_size = 16M
@ -18,13 +18,13 @@ myisam_sort_buffer_size = 16M
 # Point the following paths to different dedicated disks
 #tmpdir         = /tmp/

-# Don't listen on a TCP/IP port at all. This can be a security enhancement,
-# if all processes that need to connect to mysqld run on the same host.
-# All interaction with mysqld must be made via Unix sockets or named pipes.
-# Note that using this option without enabling named pipes on Windows
-# (via the "enable-named-pipe" option) will render mysqld useless!
-#
-#skip-networking
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+{% if mysql_listen_on_ext_int %}
+bind-address            = 0.0.0.0
+{% else %}
+bind-address            = 127.0.0.1
+{% endif %}

 # Enable binary logging. This is required for acting as a MASTER in a
 # replication configuration. You also need the binary log if you need
@ -49,4 +49,4 @@ innodb_flush_log_at_trx_commit = 1
 innodb_lock_wait_timeout = 50

 [mysqld_safe]
-open-files-limit = {{ mysql_safe_open_files_limit }}
+open-files-limit = {{ mysql_safe_open_files_limit }}
--- a/postgresql/tasks/configure-access.yml
+++ b/postgresql/tasks/configure-access.yml
@ -21,7 +21,7 @@
    - pg_hba

 - name: We want postgres listen on the public IP
-  action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="*"
+  action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="'*'"
  notify: Restart postgresql
  when:
    - psql_listen_on_ext_int
@ -32,7 +32,7 @@
    - pg_conf

 - name: If postgresql is only accessed from localhost make it listen only on the localhost interface
-  action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="localhost"
+  action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key=listen_addresses value="'localhost'"
  notify: Restart postgresql
  when:
    - not psql_listen_on_ext_int
--- a/revive-adserver/defaults/main.yml
+++ b/revive-adserver/defaults/main.yml
@ -1,7 +1,7 @@
 ---
 revive_pkg_state: latest

-revive_ad_version: 3.1.0
+revive_ad_version: 3.2.1

 revive_ad_download_url: 'http://download.revive-adserver.com/revive-adserver-{{ revive_ad_version }}.tar.gz'
 revive_ad_install_dir: '/opt'
--- a/ssh-keys/defaults/main.yml
+++ b/ssh-keys/defaults/main.yml
@ -32,7 +32,8 @@ farah_karim: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzKSQSk3ntKGUW2Cy8lt/44BTK2+U
 luca_frosini: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlTQulSJFayTJyOOecgsct35u7uvVQGX/Da11UZVxvJzw2sQKOMSCMBBGF9zUlcMoP/qvF425jVMM71S8kamCcqgSN528fp9W/Nhw7s15NbCE3H9tJ3B+u5ESOYsRfgogeTIyL26aIY/2rke0DoKDIMU3YlOtN/1ipt5cY9uV3ootxTM126y2WChICGo0h77M/Ta1pIccUE0XbuaA1HwlJBkfDzQ2kh5tkaC7mjeETstOQzpEoPFoVr0qwSPz1Y6l8uiedpDZejrq64Z2zRcSxjEQ1wuA9r8uO7TJQttUKK8m/dHMe6q3WAiFc9sOYe4tf/GEmziB8VloMTNCPJQiz lucafrosini@pc-frosini
 francesco_mangiacrapa: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDa0NzwaCcauxAFlsupU2xG2eff9nzep9bnb8pISbX2lk+K4yoJvJOAz9W9klJtpPX/IUJx18YR4jjDNcdiYWNh4Y+5jKT2EhSPNkj7Vw2MhA/ZeOrfHx7JNtL8gdxa8XxYB0ZoZqutRppmaRwWmGGwdVh0wyUzWR/v0OT01IuQGYVneLKIjUtx+BcWGsosWISaOQzVbv9iTFbSwgjbkKFHzHasxwKsrK4t1wvbzuxwhVC+5/VKghBJWN219m/PO+itww/fSes0KpI5X/7q8jrYzUgYwrKwt290U41Fx8syDQ6101YnRzMXZRyZwuVNh2S7WosGWebg5nPS4IjKho/F francesco-mangiacrapa@ubuntu-francesco-i24
 lucia_vadicamo: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAqR/WChJL0M/EOQ1Jg7x7H5dmgb9jb/Rs+ZsWFdEvIlbNzZPUhTofvazHHLObR/RtLl4+9jjG83bNJHOTysrtY0c4BOcgBRFm3HRAr6TTU7bpoC0bleycKWmgXbP3nVfRgwd0N0tlmsDMBopdfZ7BwUH3SARQ8ssWbi1ahTP6IiYE6oCOxzDhXHRRGIdHhcRbE6vFaN+BTQKX/1zfFimPnuhiQUyZwX1KtBNnjxbxaNTIUbyDUxmyLo3S66EnNqXD6n4jDDWXJb0HkI4eDTtGFxaF02PSzXr8X3ZTWDBX+/YkzaWeesvtubYa0QlZ19D2+WJZJi0SmPDf7XifPtq0iu2UB4DFPQeRGAIctxmxTSMQMhngblSdSY6R+ZXG8yxtd/b3iNQaD3s8xkjYeXouno6djnJyIA/Wu2Asn6zLJC5qyVTTNUq5QNMIoNoX4Eq74eri2yzieQGRegDNie5NxjiRyo4kdHV3gihRDm53MCUL1aKz0SijmSfNeaP8weO77qKXaYNbuiEJYtU2io14mOHYHfMlvFf059QcqxQUAEOWl1YrELExHJmNJKjl/2/nCq6Ns4JMDEHicisjTfE5GAZHJVFgKRVroRzySHfxRTBXXyPDPzjN9aZy7HKSFiUXnKKS3jrVsbQ5xKdtOOzo6Uy3mIakTQ/JWDbzQ0fMwoE= lucia.vadicamo@isti.cnr.it
-sahar_vahdati: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB38nRuOy6g0UEkYLZ5v+VGQIbZAFjylEtbmZJAN3OMm+wcgoCTIBvytZ6Ajp8ZTT1tTqo2rsAVb8O5pv08Qaunl5VBfvEUyqNdYX9SY1kB5PzKtBZBbkkUI4AE7BNJKKuki0nYvOHP5p07FdobC2OjILGxci4zn37X+CGEykNrXQ== rsa-key-20150605
+sahar_vahdati_old: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB38nRuOy6g0UEkYLZ5v+VGQIbZAFjylEtbmZJAN3OMm+wcgoCTIBvytZ6Ajp8ZTT1tTqo2rsAVb8O5pv08Qaunl5VBfvEUyqNdYX9SY1kB5PzKtBZBbkkUI4AE7BNJKKuki0nYvOHP5p07FdobC2OjILGxci4zn37X+CGEykNrXQ== rsa-key-20150605
+sahar_vahdati: ssh-dss AAAAB3NzaC1kc3MAAAEBAMAfb7STRygwnvobeoYs+znGDFSauwFJ53SGiqxWvws7VO84JLCGPrInrnFYhU6eJAWd7W24ebQhBLqEKprJ85+j068F8kBL3EoR3yyS47jHeM9nZtQEoPuPJIdQotKEUcsEB0qXsdxrK/g2xOwEE/QTvxHHoHdrlrV5i8nL2iRJZTLn1OdoyHTUJMX778RJuqsApY9duyi6Sx7YshF4uFqNiarrEUu0ldG2K8akBwQEvDBJuXsDKD5GJmRzBbqDX8xswTORelvcVtDk/TD0wMMKudBNQfktTPXATBCx6oPQ3gzBlLDF4KrnwKZ+I75c6/Q+AIz3OMM8vrcB6JMLk0MAAAAVAPKLs+YuP5ulRX484PevayNHavKJAAABAFcjNAQ1KxUKaNBeDMtNj8WWkMyx02HUPWf8ztKetTyvavK4ILTrQAwsgvH3dmOMSnm4ckWMSxQ/v+zbU/mKNddyNo7BJqRT4rKbQUvp5Mg5E+PkZNZaiTu9C8rLIa1JbUoEyssqLAlFbIviJlwpLgaf+jY7ZCJso7kCYRWkcXMaEnNvqCd5u8IAGBZijI/L9TtAIyjgYoh4pYdAPWjYTjH+nH9xpIuN7KQEVq1ba/WyAe9xVNPta+fnuHiUHbUpNaExhIs4pskfCI5EuBBgxtixkSPssZaNFlWXx2rwFLnfvnLxeG9t7qbXs5LPoo0x0miq/eo+jgIHel9uEvN/BNYAAAEAQ/qXwtXcw1aA7PoKOTOmwaproFmcnu/7unEEu16/G4F2t76kz4CwehGgq19MnbgfzBL64qfs9A5UxI4HRJ6e5/Ik1a1dv/tSVSgA+rKJWeCZr1cTg5Y/u7OAk/mik0nL7r7TraofYvGAWl7ckYeN/28wv5TWSNB6CkPix69DgLvapjU5RG+7DPhzINc5MF75MjFRTnc5eAeC2wv2+3MzGzm78+i6UPpwd7Jj/BKTvtj0XinHJj+QNhkVtH6lAYDnAJNrQXpiGCKScVs1YCNbF9xHtBN1wlU99k+FdjLVsef3L348c3QWTVloXoh+HC0eNwt8QvLUyZLGyaCAy0ifvw== dsa-key-20150709
 christoph_lange: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvFxHqgmIkBfdyxRCMGhj2R+Bj05EBB7DlBrlKy6eM3K3EnPP+0dlMW+KhGwcu5sHFjyPtdngEO8AX1TQCUgifhd9++fBVAfUfKU5+dUqqyFFeQjQMqbf7pzWCJ9JjQ5tk1If9IzgBe/50ro0SCqIbod3FogSe4RZqQV1P0znxaHt4ngJSRYnRK+6gniMuT+SlcKgjDM8v8RP4ELWvE0ibduUGoyCEzmmroXgymcL7tpqHTdfo8o3mbcwqRGmCHEplQttFG57PwkJlcQvhKuJHo/Sgcyx2WuEFL/vZMFnuXhaNFg7I1UIO9bNwsLjsbnR9FEK9rjwwl8dKQHDh5R1zQ== clange@BACH

 # Use the list when you want to give access to non root users
--- a/ubuntu-deb-general/defaults/main.yml
+++ b/ubuntu-deb-general/defaults/main.yml
@ -79,25 +79,7 @@ install_resolvconf: True
 configure_munin: False

 # Manage the root ssh keys
-manage_root_ssh_keys: True
-
-cm_pubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJN8XR/N4p6FfymWJy7mwR3vbUboC4P+7CgZalflhK5iH0P7c24/zZDY9Y5QIq58IViY7napqZuRkNHnHcvm9mxtSxQ16qe03NulABN5V/ljgR0sQAWz8pwv68LDpR9uBSCbXDdDCUUlS+zOxCHA6s7O7PSFavX4An1Vd/mjwoeR4eLRQXNcKsK2Pu/BZ3TCLmWyi2otnxFiJ8IoKW1CvjxKWmt5BvAvys0dfsdnTSVz9yiUMwN5Oj8cw/jhKqadnkvqTGfGl1ELm9L2V7hT6LM0cIom9oRsQf+JJ6loBe3UUZGaAhY2jmARmZdX3qV9Wh+UtxaWMEAXB9mf/2cK9f jenkins@cm
-andrea_dellamico: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ9n6B+J5S7NPnwjejPC2WrvcRzC07WPnAoQ7ZHZ0Mv9JakyWItswzI3Drz/zI0mCamyuye+9dWz9v/ZRwUfBobVyXuptRaZIwxlMC/KsTZofpp3RHOBTteZ4/VM0VhEeiOHu+GuzNE0fRB2gsusWeMMae2cq4TjVAOMcQmJX496L703Smc14gFrP8y/P9jbC5HquuVnPR29PsW4mHidPmjdKkO7QmDfFAj44pEUGeInYOJe708C03NCpsjHw8AVdAJ6Pf16EOdDH+z8D6CByVO3s8UT0HJ85BRoIy6254/hmYLzyd/eRnCXHS/dke+ivrlA3XxG4+DmqjuJR/Jpfx adellam@semovente
-tommaso_piccioli: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzcHuDU7PgJwz34AsVG0E2+ZRx17ZKW1uDEGABNk3Z60/c9LTwWKPj6kcIRy6RzFJI5X+IgPJnYouXVmJsIWjVL8IRk8fP1ffJC6Fyf6H7+fCxu/Wwed5OoOCvKeZ0bEmJ1tlXFM6+EnxKqLCvz3fsNy8e4WKMnpS1hT8K6YB7PMjt60S3wOaxds1Lv4NmmgnfGM5uZFYrZCx1/GJCzNSh7AEEEUIVQ1B8xmXbet7whNiwDmiOnXSlt38dkIYT8kNMuRCj/r9wPr7FmoUCOFzUVXTcnuYagKyURrZ8QDyHbK6XQLYXgvCz/lWoErGFbDqpmBHHyvKSeLPxYfJpWJ70w== tom@tom
-backup_agent: ssh-dss AAAAB3NzaC1kc3MAAACBANBn5i7oJd12+GAeDVSAiPqCxcCDzWe41g3Vy/LhbYKwG0smPNJRfvyf7lKWkgolJfMJZrk7bBVhJoApkV7vkFkrSPueyRC+/ohjafpOsmxRYiOaSrDZ2c9TbGFVZTh23pUXoDPp2Z0N8l471b9Mx/nqgtflCV+IVICcDZbUhcCTAAAAFQC+fmfljTFllCMKsgrSJcQAtiIT/QAAAIEAvrsLfmQzHQjt4G5FhcPVbvP87KUsDh0xksCfMRP6bQBz/3mcnt7V5/MLll/CZMiOWjRK3ww9zCYHprUwQtAZSllFWiGUKw1tDvf1ZQGESYP/vvWwcpPZpVsRHlhRtuMsQchSRxw03yYOqEEa2akWzQlvaZ4CWWym931mZg6zY4AAAACAG/l8dU/QEMK1JP3rDV0kZYvcxjUC9Mxw5ScTyVqVnxDL75ssX9HiQamsiTk0dYNyl8qkB38FfkB4LhEb8FkHs4toN+nTNPPlLqhpYMs+anwyNy32LnXAVP02VJ2+3exwGe0b5vtIFpj+j8s7YZMHN5x6d4xhZ9oq5M2pJN6M48E= root@dlibbackup
-monja_dariva: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQJvgDc8lQB+EArajGPEirRuYxGcInfiM3uRS0P5Dhqch6cuNdMFFjCoQVFL2Dvs7QNSRm8mvnPLWOCYLEFPBdXlA63w+n3VWoVOs0lUgQM77/axetd/K8BCkJlcA/exvVxLtzc5k8hN1k3OJY/Npi2Xa4WyEMV6t7+vYK3MXPjFBy4Y/aLWZvHcCn0zUbeB8T8PJ2S8taCIOMzemUzjGs3c0f4y6oaJx1gPw31PCahkaVS4ZLSt+0y3DRaGiXjyzgbQPf1whBOT4SSiX3SgdMvxA/Fzz2sSAn9PNfKq+/vygn7qDB79qzBhOXs36dPuwmsqggxIZasGUT/YfRp5Cw== monja@pc-monja
-
-old_marko_mikulicic: ssh-dss AAAAB3NzaC1kc3MAAACBAO/KjuevegLjP3SXeZAdmHySuOjlNWllsuurdzes9HwF7HBEtFAuSE7vBeNcpfsdUytq92JUBAwNk9VwxNnnyVgeznFQ7ocGBh0Yfu4j9EXiWVA7vO8xZ9kqjl+HwUELrR1a8d4mngXgNQ1OAm+i3vvpBA6b4CV2L2hrEsPL5LPVAAAAFQD0VroYiG13uOsHCJaVyWH6V7w4twAAAIA4moWcTj36r+FpJYHH3c+QGC8XgPi6mwsqJexJ3sZRfEDAuDTgB5UyLJStY5EE2pChVpACx8KDlONcyuCdA8HIDC+RAJ03tY//UR2Ndg1y0yH8BnpjFM9Ow5JcoWzz9clC4GD0zGA90aiQd37I3JfPoTTEjLvJegg/C8GtlLtB+AAAAIEAgHwTzFLfZ0Q5tDK/kxeKa/x52O4ZfOXBTOYQZy5A6+ohoOOIKuEYmUOxh9ovE38St2+Q+1CgGnhBA79Y2pBdzpvY6VwKdcQBtyZSsJ7ghMTpksdNwZkZ3rIDgMi0yeBUl9qe339dXzV77uM/Q8Tx0UhSHTEIpyu1WZ8d/AAqrCQ= marko
-
-root_ssh_keys:
-  - '{{ cm_pubkey }}'
-  - '{{ andrea_dellamico }}'
-  - '{{ tommaso_piccioli }}'
-  - '{{ backup_agent }}'
-  - '{{ monja_dariva }}'
-
-obsolete_root_ssh_keys:
-  - '{{ old_marko_mikulicic }}'
+manage_root_ssh_keys: False

 #
 # debian/ubuntu distributions controllers
@ -109,7 +91,6 @@ has_htop: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution
 has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_lsb['major_release'] }}' >= 5"

 is_debian: "'{{ ansible_distribution }}' == 'Debian'"
-#is_debian7: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 7"
 is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'"
 is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'"
 is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)"
--- a/ubuntu-deb-general/tasks/pubkeys.yml
+++ b/ubuntu-deb-general/tasks/pubkeys.yml
@ -3,11 +3,11 @@
 - name: various pub ssh keys for users and apps
  authorized_key: user=root key="{{ item }}" state=present
  with_items: root_ssh_keys
-  tags:
-    - root_pubkeys
+  when: manage_root_ssh_keys
+  tags: root_pubkeys

 - name: Remove obsolete keys from the authorized ones
  authorized_key: user=root key="{{ item }}" state=absent
  with_items: obsolete_root_ssh_keys
-  tags:
-    - root_pubkeys
+  when: obsolete_root_ssh_keys is defined
+  tags: root_pubkeys
--- a/varnish-cache/defaults/main.yml
+++ b/varnish-cache/defaults/main.yml
@ -8,23 +8,42 @@ varnish_pkg_name: varnish
 varnish_pkg_state: present
 varnish_enabled: True

-
-varnish_listen_port: 6810
+varnish_instance_name: '{{ ansible_fqdn }}'
+varnish_listen_port: 6081
+varnish_admin_listen_port: 6082
+varnish_admin_listen_host: 127.0.0.1
+varnish_vcl_conf: /etc/varnish/default.vcl
+varnish_secret_file: /etc/varnish/secret
+varnish_pid_file: /var/run/varnish.pid
+varnish_n_files: 131072
+varnish_memlock: 82000
 varnish_static_c_timeout: 240s
 varnish_static_first_byte_timeout: 360s
 varnish_static_between_bytes_timeout: 360s
 varnish_min_threads: 10
 varnish_max_threads: 1000
+varnish_thread_timeout: 120
 # We are using 3000 in production
 varnish_static_max_connections: 200
+#
+# Choose if we want static disk based cache or volatile ram based one
+varnish_use_disk_cache: True
 varnish_storage_file: /var/lib/varnish/varnish_storage.bin
 # We are using 12288M in production
 varnish_storage_size: 1G
+#
+varnish_use_ram_cache: False
 # Expressed in MBs. We do not use it right now
-varnish_ram_cache_size: 512
+varnish_ram_cache_size: 512M
 # We are using 48000 in production
 varnish_ttl: 120
 varnish_user: varnish
 varnish_group: varnish
 varnish_purge_whitelist:
  - 127.0.0.1
+
+varnish_set_sysctl_params: False
+varnish_sysctl_file: 30-varnish.conf
+varnish_sysctl_kernel_parameters:
+  - { name: 'net.core.rmem_max', value: '212992' }
+  - { name: 'net.core.wmem_max', value: '212992' }
--- a/varnish-cache/handlers/main.yml
+++ b/varnish-cache/handlers/main.yml
@ -2,4 +2,7 @@
 - name: Reload varnish
  service: name=varnish state=reloaded

+- name: Restart varnish
+  service: name=varnish state=restarted
+

--- a/varnish-cache/tasks/main.yml
+++ b/varnish-cache/tasks/main.yml
@ -27,11 +27,31 @@
  with_items: varnish_pkg_name
  tags: varnish

+- name: Configure some kernel parameters via sysctl
+  sysctl: name={{ item.name }} value={{ item.value }} sysctl_file=/etc/sysctl.d/{{ varnish_sysctl_file }} reload=yes state=present
+  with_items: varnish_sysctl_kernel_parameters
+  when: varnish_set_sysctl_params
+  tags: [ 'varnish', 'varnishconf', 'sysctl' ]
+
 - name: Install the varnish parameters file. The config file needs to be set by a local task
  template: src={{ item }}.j2 dest=/etc/default/varnish owner=root group=root mode=0444
  with_items:
    - varnish.params
-  notify: Reload varnish
+  notify: Restart varnish
+  tags: [ 'varnish', 'varnishconf' ]
+
+- name: Install the varnish systemd unit in debian 8
+  template: src={{ item }}.systemd.j2 dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0444
+  with_items:
+    - varnish.service
+  notify: Restart varnish
+  when: is_debian8
+  register: install_varnish_unit
+  tags: [ 'varnish', 'varnishconf' ]
+
+- name: Reload the systemd unit when changed
+  command: systemctl daemon-reload
+  when: ( install_varnish_unit | changed )
  tags: [ 'varnish', 'varnishconf' ]

 - name: Ensure that the varnish service is started and enabled
--- a/varnish-cache/templates/varnish.params.j2
+++ b/varnish-cache/templates/varnish.params.j2
@ -12,23 +12,23 @@ START=no
 RELOAD_VCL=1

 # Maximum number of open files (for ulimit -n)
-NFILES=131072
+NFILES={{ varnish_n_files }}

 # Maximum locked memory size (for ulimit -l)
 # Used for locking the shared memory log in memory.  If you increase log size,
 # you need to increase this number as well
-MEMLOCK=82000
+MEMLOCK={{ varnish_memlock }}

 # Default varnish instance name is the local nodename.  Can be overridden with
 # the -n switch, to have more instances on a single server.
-INSTANCE=$(uname -n)
+INSTANCE={{ varnish_instance_name }}

 ## Alternative 3, Advanced configuration
 #
 # See varnishd(1) for more information.
 #
 # # Main configuration file. You probably want to change it :)
-VARNISH_VCL_CONF=/etc/varnish/default.vcl
+VARNISH_VCL_CONF={{ varnish_vcl_conf }}
 #
 # # Default address and port to bind to
 # # Blank address means all IPv4 and IPv6 interfaces, otherwise specify
@ -37,11 +37,11 @@ VARNISH_VCL_CONF=/etc/varnish/default.vcl
 VARNISH_LISTEN_PORT={{ varnish_listen_port }}
 #
 # # Telnet admin interface listen address and port
-VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
-VARNISH_ADMIN_LISTEN_PORT=6082
+VARNISH_ADMIN_LISTEN_ADDRESS={{ varnish_admin_listen_host }}
+VARNISH_ADMIN_LISTEN_PORT={{ varnish_admin_listen_port }}
 #
 # Shared secret file for admin interface
-VARNISH_SECRET_FILE=/etc/varnish/secret
+VARNISH_SECRET_FILE={{ varnish_secret_file }}

 # # The minimum number of worker threads to start
 VARNISH_MIN_THREADS={{ varnish_min_threads }}
@ -50,7 +50,7 @@ VARNISH_MIN_THREADS={{ varnish_min_threads }}
 VARNISH_MAX_THREADS={{ varnish_max_threads }}
 #
 # # Idle timeout for worker threads
-VARNISH_THREAD_TIMEOUT=120
+VARNISH_THREAD_TIMEOUT={{ varnish_thread_timeout }}
 #
 # # Cache file location
 VARNISH_STORAGE_FILE={{ varnish_storage_file }}
@ -70,12 +70,4 @@ VARNISH_TTL={{ varnish_ttl }}
 VARNISH_USER={{ varnish_user }}
 VARNISH_GROUP={{ varnish_group }}
 #
-DAEMON_OPTS="-a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} \
-             -f ${VARNISH_VCL_CONF} \
-             -T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} \
-             -t ${VARNISH_TTL} \
-             -p thread_pool_min=${VARNISH_MIN_THREADS} \
-             -p thread_pool_max=${VARNISH_MAX_THREADS} \
-             -p thread_pool_timeout=${VARNISH_THREAD_TIMEOUT} \
-             -S ${VARNISH_SECRET_FILE} \
-             -s ${VARNISH_STORAGE}"
+DAEMON_OPTS="-a :{{ varnish_listen_port }} -P {{ varnish_pid_file }} -f {{ varnish_vcl_conf }} -T {{ varnish_admin_listen_host }}:{{ varnish_admin_listen_port }} -t {{ varnish_ttl }} -p thread_pool_min={{ varnish_min_threads }} -p thread_pool_max={{ varnish_max_threads }} -p thread_pool_timeout={{ varnish_thread_timeout }} -S {{ varnish_secret_file }} -n {{ varnish_instance_name }} {% if varnish_use_disk_cache %}-s file,{{ varnish_storage_file }},{{ varnish_storage_size }}{% endif %} {% if varnish_use_ram_cache %}-s malloc,{{ varnish_ram_cache_size }}{% endif %}"