library: small fixes.

d4science-gcube/roles/mediawiki_setup/templates/nginx-mediawiki.j2: First attempt at a nginx ssl config.
2015-06-14 23:39:13 +02:00 · 2015-06-14 23:39:13 +02:00 · d69a92292c
parent ea27bed983
commit d69a92292c
11 changed files with 52 additions and 27 deletions
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@ -1,4 +1,5 @@
 ---
 - include: fail2ban.yml
-  when: is_trusty
+  when: ( is_trusty ) or ( is_debian8 )
+

--- a/iptables/defaults/main.yml
+++ b/iptables/defaults/main.yml
@ -40,4 +40,3 @@

 #iptables_default_policy: REJECT
 iptables_default_policy: ACCEPT
-iptables_open_all_to_isti_nets: False
--- a/iptables/handlers/main.yml
+++ b/iptables/handlers/main.yml
@ -20,3 +20,6 @@
  when: is_trusty


+- name: Start the netfilter service
+  service: name=netfilter-persistent state=started
+  notify: Restart fail2ban
--- a/iptables/tasks/main.yml
+++ b/iptables/tasks/main.yml
@ -12,8 +12,7 @@
  with_items:
    - rules.v4
  when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
-  notify:
-    - Start the iptables service on Ubuntu < 12.04
+  notify: Start the iptables service on Ubuntu < 12.04
  tags:
    - iptables
    - iptables_rules
@ -23,9 +22,21 @@
  with_items:
    - rules.v4
    - rules.v6
-  when: ( is_not_ubuntu_less_than_precise ) or ( is_debian7)
-  notify:
-    - Start the iptables service
+  when:
+    - is_not_ubuntu_less_than_precise
+    - is_debian7
+  notify: Start the iptables service
+  tags:
+    - iptables
+    - iptables_rules
+
+- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
+  template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
+  with_items:
+    - rules.v4
+    - rules.v6
+  when: is_debian8
+  notify: Start the netfilter service
  tags:
    - iptables
    - iptables_rules
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@ -20,7 +20,7 @@
 # ssh is always open. We use denyhosts to prevent unauthorized accesses
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 {% endif %}
-{% if iptables_open_all_to_isti_nets %}
+{% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %}
 # Permit all traffic from our networks
 -A INPUT -s {{ network.isti }} -j ACCEPT
 -A INPUT -s {{ network.nmis }} -j ACCEPT
--- a/ubuntu-deb-general/defaults/main.yml
+++ b/ubuntu-deb-general/defaults/main.yml
@ -103,11 +103,13 @@ has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution

 is_debian: "'{{ ansible_distribution }}' == 'Debian'"
 #is_debian7: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 7"
+is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'"
 is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'"
 is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)"
 is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 5"
 is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 4"
 is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} != 6"
+is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} <= 7"
 is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} < 6"
 is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6)"

--- a/ubuntu-deb-general/tasks/denyhost.yml
+++ b/ubuntu-deb-general/tasks/denyhost.yml
@ -1,34 +1,35 @@
 ---
 - name: install denyhosts on debian <=7 and ubuntu <= 12.04
  apt: pkg={{ item }} state=installed
-  when: is_ubuntu_less_than_trusty
  with_items:
    - denyhosts
-  when: is_not_trusty
-  tags:
-    - denyhosts
+  when:
+    - is_debian_7_or_older
+    - is_ubuntu_less_than_trusty
+  tags: denyhosts

 - name: ensure CM can access the VMs
  action: |
    lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.18$" line="sshd: 146.48.123.18"
-  when: is_not_trusty
-  tags:
-    - denyhosts
+  when:
+    - is_debian_7_or_older
+    - is_ubuntu_less_than_trusty
+  tags: denyhosts

 - name: ensure Monitoring can connect via ssh
  action: |
    lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.23$" line="sshd: 146.48.123.23"
-  when: is_not_trusty
-  tags:
-    - denyhosts
-    - monitoring
+  when:
+    - is_debian_7_or_older
+    - is_ubuntu_less_than_trusty
+  tags: denyhosts

 - name: Set the treshold for root on the denyhosts config file
  lineinfile: |
    name=/etc/denyhosts.conf regexp="^DENY_THRESHOLD_ROOT = " line="DENY_THRESHOLD_ROOT = 5"
-  when: is_not_trusty
-  tags:
-    - denyhosts 
-  notify:
-    - Restart denyhosts
+  when:
+    - is_debian_7_or_older
+    - is_ubuntu_less_than_trusty
+  notify: Restart denyhosts
+  tags: denyhosts 

--- a/ubuntu-deb-general/tasks/main.yml
+++ b/ubuntu-deb-general/tasks/main.yml
@ -9,7 +9,9 @@
 - include: disable-ipv6-old-servers.yml
  when: disable_ipv6
 - include: denyhost.yml
-  when: is_not_trusty
+  when:
+    - is_debian_7_or_older
+    - is_ubuntu_less_than_trusty
 - include: munin.yml
  when: configure_munin
 - include: pubkeys.yml
--- a/ubuntu-deb-general/tasks/packages.yml
+++ b/ubuntu-deb-general/tasks/packages.yml
@ -45,6 +45,13 @@
  tags:
    - wheezy-backports

+- name: Install the backports repository on debian 8
+  apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present
+  register: update_apt_cache
+  when: is_debian8
+  tags:
+    - wheezy-backports
+
 - name: apt key for the internal ppa repository
  apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
  when: is_ubuntu
--- a/varnish-cache/defaults/main.yml
+++ b/varnish-cache/defaults/main.yml
@ -3,7 +3,7 @@ varnish_version: 4.0
 varnish_repo: True
 varnish_repo_requirements:
  - apt-transport-https
-varnish_repo_url: "https://repo.varnish-cache.org/debian/ wheezy varnish-{{ varnish_version }}"
+varnish_repo_url: "https://repo.varnish-cache.org/debian/ {{ ansible_distribution_release }} varnish-{{ varnish_version }}"
 varnish_pkg_name: varnish
 varnish_pkg_state: present
 varnish_enabled: True
--- a/yii/defaults/main.yml
+++ b/yii/defaults/main.yml
@ -16,7 +16,6 @@ yii_framework_dir: '{{ yii_install_dir }}/yii-{{ yii_version }}'
 yii_php_modules:
  - php-xml-dtd
  - php-xml-parser
-  - php-xml-serializer
  - php5-imagick
  - php5-memcache
  - php5-xcache