From 6a4a07d564688c6264a17040d1d0f253f4bdd048 Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 5 Nov 2021 15:17:35 +0100 Subject: [PATCH] update.. --- ansible-dependencies-bullseye-sudo.yml | 23 ++ ansible-dependencies-bullseye.yml | 15 + common.yml | 15 + group_vars/all/main.yml | 118 +++++++- hosts | 2 + .../tasks/main.yml | 47 +++ roles/common/tasks/apt.yml | 36 ++- roles/common/tasks/apt.yml.NEW | 275 ++++++++++++++++++ .../templates/etc/apt/sources.list.Debian.j2 | 22 +- .../templates/etc/apt/sources.list.Ubuntu.j2 | 11 + 10 files changed, 541 insertions(+), 23 deletions(-) create mode 100644 ansible-dependencies-bullseye-sudo.yml create mode 100644 ansible-dependencies-bullseye.yml create mode 100644 roles/ansible_dependencies-bullseye/tasks/main.yml create mode 100644 roles/common/tasks/apt.yml.NEW create mode 100644 roles/common/templates/etc/apt/sources.list.Ubuntu.j2 diff --git a/ansible-dependencies-bullseye-sudo.yml b/ansible-dependencies-bullseye-sudo.yml new file mode 100644 index 0000000..99f7641 --- /dev/null +++ b/ansible-dependencies-bullseye-sudo.yml @@ -0,0 +1,23 @@ +--- + +- hosts: initial_setup + gather_facts: false + + vars: + + # created with: + # + # echo -n 'E*********%' | ansible-vault encrypt_string --stdin-name 'ansible_become_password' + # + ansible_become_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34396433383837666135346136643137633333316131633235353039613361626631346434653636 + 6431366536663636323537633965306135343239626434660a386663353837396263333035356365 + 32636236383566316565383137613232353066313032373430643631303433616265323566663165 + 3539316363386538370a353937613535313538366562616334313566366332393532616630636133 + 6562 + + + roles: + - ansible_dependencies-bullseye + - ansible_user diff --git a/ansible-dependencies-bullseye.yml b/ansible-dependencies-bullseye.yml new file mode 100644 index 0000000..ea592ef --- /dev/null +++ b/ansible-dependencies-bullseye.yml @@ -0,0 +1,15 @@ +--- + +- hosts: initial_setup + remote_user: root + become: false + gather_facts: false + + vars_prompt: + + - name: ansible_ssh_pass + prompt: "Give root's password here" + + roles: + - ansible_dependencies-bullseye + - ansible_user diff --git a/common.yml b/common.yml index 016774b..f7ee41f 100644 --- a/common.yml +++ b/common.yml @@ -16,5 +16,20 @@ # ansible-playbook first_run.yml -i hosts -u root --ask-pass - hosts: all + + vars: + + # created with: + # + # echo -n 'E*********%' | ansible-vault encrypt_string --stdin-name 'ansible_become_password' + # + ansible_become_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34396433383837666135346136643137633333316131633235353039613361626631346434653636 + 6431366536663636323537633965306135343239626434660a386663353837396263333035356365 + 32636236383566316565383137613232353066313032373430643631303433616265323566663165 + 3539316363386538370a353937613535313538366562616334313566366332393532616630636133 + 6562 + roles: - common diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 1c24a11..30afb74 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -328,6 +328,123 @@ apt_initial_install_buster: - socat - wakeonlan +apt_initial_install_bullseye: + - apt-transport-https + - dbus + - openssh-server + - rush + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - cron + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - universal-ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.32 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline-dev + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua5.4 + - btrfs-progs + - fdisk + apt_initial_install_xenial: - apt-transport-https - dbus @@ -1569,7 +1686,6 @@ luks_device: [] apt_ansible_dependencies: - python - - python-apt - python3 - python3-apt - lsb-release diff --git a/hosts b/hosts index 9a19117..a031502 100644 --- a/hosts +++ b/hosts @@ -12,6 +12,7 @@ ab12.akb.netz 192.168.63.168 file-akb.akb.netz ansible_user=root 192.168.82.20 ansible_user=root +gw-akb.oopen.de ansible_become=true ansible_become_method=sudo ansible_user=chris [client_pc] ab1.akb.netz @@ -67,3 +68,4 @@ file-akb.akb.netz ansible_user=root 192.168.82.20 ansible_user=root [gateway_server] +gw-akb.oopen.de ansible_become=true ansible_become_method=sudo ansible_user=chris diff --git a/roles/ansible_dependencies-bullseye/tasks/main.yml b/roles/ansible_dependencies-bullseye/tasks/main.yml new file mode 100644 index 0000000..2e522a8 --- /dev/null +++ b/roles/ansible_dependencies-bullseye/tasks/main.yml @@ -0,0 +1,47 @@ +--- + +- name: re-synchronize the package index files from their sources + raw: apt-get update + +- name: Ensure aptitude is present + raw: test -e /usr/bin/aptitude || apt-get install aptitude -y + +- name: Ensure python2 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python2 || (apt -y update && apt install -y python-is-python2) + +- name: Ensure python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3) + +- name: Ensure python-apt-common is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python2 && (apt -y update && apt install -y python-apt-common) + +- name: Ensure python-apt is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt) + +- name: dpkg --configure -a + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + tags: + - ansible-dependencies + +- name: apt upgrade + apt: + upgrade: "{{ apt_upgrade_type }}" + update_cache: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_upgrade|bool + tags: + - ansible-dependencies + +- name: apt install ansible dependencies + apt: + name: "{{ apt_ansible_dependencies }}" + state: "{{ apt_install_state }}" + tags: + - ansible-dependencies + diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index e602270..b9e8308 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -65,6 +65,7 @@ name: "{{ apt_initial_install_stretch }}" state: "{{ apt_install_state }}" when: + - - apt_initial_install_stretch is defined and apt_initial_install_stretch|length > 0 - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] == "9" tags: @@ -76,12 +77,25 @@ name: "{{ apt_initial_install_buster }}" state: "{{ apt_install_state }}" when: + - apt_initial_install_buster is defined and apt_initial_install_buster|length > 0 - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] == "10" tags: - apt-initial-install +- name: (apt.yml) Initial install debian packages (bullseye) + apt: + name: "{{ apt_initial_install_bullseye }}" + state: "{{ apt_install_state }}" + when: + - apt_initial_install_bullseye is defined and apt_initial_install_bullseye|length > 0 + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "11" + tags: + - apt-initial-install + + - name: (apt.yml) Initial install ubuntu packages (bionic) apt: name: "{{ apt_initial_install_bionic }}" @@ -122,30 +136,14 @@ - apt-microcode -- name: (apt.yml) Ensure we have CPU microcode from backports for AMD CPU (debian stretch) +- name: (apt.yml) Install CPU microcode (debian buster/bullseye) apt: - name: "{{ microcode_amd_package }}" - state: present - default_release: "{{ ansible_distribution_release }}-backports" - when: - - apt_backports_enable - - apt_debian_contrib_nonfree_enable - - ansible_facts['distribution'] == "Debian" - - ansible_facts['distribution_major_version'] == "9" - - ansible_facts['processor']|string is search("AMD") - tags: - - apt-initial-install - - apt-microcode - - -- name: (apt.yml) Install CPU microcode for Intel CPU (debian buster) - apt: - name: "{{ microcode_intel_package }}" + name: "{{ microcode_package }}" state: present default_release: "{{ ansible_distribution_release }}" when: - ansible_facts['distribution'] == "Debian" - - ansible_facts['distribution_major_version'] == "10" + - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" - ansible_facts['processor']|string is search("Intel") tags: - apt-initial-install diff --git a/roles/common/tasks/apt.yml.NEW b/roles/common/tasks/apt.yml.NEW new file mode 100644 index 0000000..44920f8 --- /dev/null +++ b/roles/common/tasks/apt.yml.NEW @@ -0,0 +1,275 @@ +--- + +- name: (apt.yml) update configuration file - /etc/apt/sources.list + template: + src: "etc/apt/sources.list.{{ ansible_distribution }}.j2" + dest: /etc/apt/sources.list + owner: root + group: root + mode: 0644 + register: apt_config_updated + when: apt_manage_sources_list|bool + tags: + - apt-configuration + +- name: (apt.yml) apt update + apt: + update_cache: true + cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}" + when: apt_update|bool + tags: + - apt-update + - apt-upgrade + - apt-dpkg-configure + - apt-initial-install + - apt-microcode + - apt-compiler-pkgs + - apt-webserver-pkgs + +- name: (apt.yml) dpkg --configure + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + tags: + - apt-dpkg-configure + - apt-initial-install + - apt-microcode + - apt-compiler-pkgs + - apt-webserver-pkgs + +- name: (apt.yml) apt upgrade + apt: + upgrade: "{{ apt_upgrade_type }}" + update_cache: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_upgrade|bool + tags: + - apt-upgrade + - apt-initial-install + - apt-microcode + - apt-compiler-pkgs + - apt-webserver-pkgs + +- name: (apt.yml) Initial install debian packages (stretch) + apt: + name: "{{ apt_initial_install_stretch }}" + state: "{{ apt_install_state }}" + when: + - - apt_initial_install_stretch is defined and apt_initial_install_stretch|length > 0 + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "9" + tags: + - apt-initial-install + +- name: (apt.yml) Initial install debian packages (buster) + apt: + name: "{{ apt_initial_install_buster }}" + state: "{{ apt_install_state }}" + when: + - apt_initial_install_buster is defined and apt_initial_install_buster|length > 0 + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "10" + tags: + - apt-initial-install + +- name: (apt.yml) Initial install debian packages (bullseye) + apt: + name: "{{ apt_initial_install_bullseye }}" + state: "{{ apt_install_state }}" + when: + - apt_initial_install_bullseye is defined and apt_initial_install_bullseye|length > 0 + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "11" + tags: + - apt-initial-install + +- name: (apt.yml) Initial install ubuntu packages (bionic) + apt: + name: "{{ apt_initial_install_bionic }}" + state: "{{ apt_install_state }}" + when: + - ansible_facts['distribution'] == "Ubuntu" + - ansible_facts['distribution_release'] == "bionic" + tags: + - apt-initial-install + +- name: (apt.yml) Initial install ubuntu packages (xenial) + apt: + name: "{{ apt_initial_install_xenial }}" + state: "{{ apt_install_state }}" + when: + - ansible_facts['distribution'] == "Ubuntu" + - ansible_facts['distribution_release'] == "xenial" + tags: + - apt-initial-install + +- name: (apt.yml) Ensure we have CPU microcode from backports (debian stretch) + apt: + name: "{{ microcode_package }}" + state: present + default_release: "{{ ansible_distribution_release }}-backports" + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "9" + - ansible_facts['processor']|string is search("Intel") + tags: + - apt-initial-install + - apt-microcode + +- name: (apt.yml) Install CPU microcode (debian buster/bullseye) + apt: + name: "{{ microcode_package }}" + state: present + default_release: "{{ ansible_distribution_release }}" + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" + - ansible_facts['processor']|string is search("Intel") + tags: + - apt-initial-install + - apt-microcode + +- name: (apt.yml) Install CPU microcode (ubuntu bionic) + apt: + name: "{{ microcode_package }}" + state: present + default_release: "{{ ansible_distribution_release }}" + when: + - ansible_facts['distribution'] == "Ubuntu" + - ansible_facts['distribution_release'] == "bionic" + - ansible_facts['processor']|string is search("Intel") + tags: + - apt-initial-install + - apt-microcode + +- name: (apt.yml) Install CPU microcode (ubuntu xenial) + apt: + name: "{{ microcode_package }}" + state: present + default_release: "{{ ansible_distribution_release }}" + when: + - ansible_facts['distribution'] == "Ubuntu" + - ansible_facts['distribution_release'] == "xenial" + - ansible_facts['processor']|string is search("Intel") + tags: + - apt-initial-install + - apt-microcode + +- name: (apt.yml) Install lxc_host related packages + apt: + name: "{{ apt_lxc_host_pkgs }}" + state: "{{ apt_install_state }}" + when: apt_install_lxc_host_pkgs|bool + tags: + - apt-lxc-hosts-pkgs + +- name: (apt.yml) Install compiler related packages + apt: + name: "{{ apt_compiler_pkgs }}" + state: "{{ apt_install_state }}" + when: apt_install_compiler_pkgs|bool + tags: + - apt-compiler-pkgs + +- name: (apt.yml) Install postgresql_server related packages + apt: + name: "{{ apt_postgresql_pkgs }}" + state: "{{ apt_install_state }}" + when: apt_install_postgresql_pkgs|bool + tags: + - apt-postgresql-server-pkgs + +- name: (apt.yml) Install webserver related packages + apt: + name: "{{ apt_webserver_pkgs }}" + state: "{{ apt_install_state }}" + when: apt_install_webserver_pkgs|bool + tags: + - apt-webserver-pkgs + +- name: (apt.yml) Install extra packages + apt: + name: "{{ apt_extra_pkgs }}" + state: "{{ apt_install_state }}" + when: apt_install_extra_pkgs|bool + tags: + - apt-extra-pkgs + +- name: (apt.yml) Remove unwanted packages + apt: + name: "{{ apt_remove }}" + state: absent + purge: "{{ apt_remove_purge }}" + tags: + - apt-remove + +- name: (apt.yml) autoremove + apt: + autoremove: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_autoremove|bool + tags: + - apt-autoremove + - apt-initial-install + - apt-microcode + - apt-compiler-pkgs + - apt-webserver-pkgs + +- name: (apt.yml) clean + command: apt-get -y clean + args: + warn: false + changed_when: false + when: apt_clean|bool + tags: + - apt-clean + - apt-initial-install + - apt-microcode + - apt-compiler-pkgs + - apt-mysql-server-pkgs + - apt-webserver-pkgs + +# Fix error if install/update of repository mysql-/mariadb-client breaks +# link '/etc/mysql/my.cnf' in case mysql/mariadb was installed from source +# +- name: (apt.yml) Check if file '/usr/local/mysql/etc/my.cnf' exists + stat: + path: /usr/local/mysql/etc/my.cnf + register: usr_local_mysql_etc_my_cnf + when: groups['mysql_server']|string is search(inventory_hostname) or + groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nextcloud_server']|string is search(inventory_hostname) + tags: + - apt-webserver-pkgs + - apt-mysql-server-pkgs + - check_mysql_cnf + +#- name: debug +# debug: +# msg: +# - usr_local_mysql_etc_my_cnf.stst.exists = {{ usr_local_mysql_etc_my_cnf.stat.exists }} +# - "Variable usr_local_mysql_etc_my_cnf: {{ usr_local_mysql_etc_my_cnf }}" +# tags: +# - check_mysql_cnf + +- name: (apt.yml) Create a symbolic link /etc/my.cnf -> /usr/local/mysql/etc/my.cnf + file: + src: /usr/local/mysql/etc/my.cnf + dest: /etc/mysql/my.cnf + owner: root + group: root + state: link + when: + - (groups['mysql_server']|string is search(inventory_hostname) or + groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nextcloud_server']|string is search(inventory_hostname)) + - usr_local_mysql_etc_my_cnf.stat.exists + tags: + - apt-webserver-pkgs + - apt-mysql-server-pkgs + - check_mysql_cnf + diff --git a/roles/common/templates/etc/apt/sources.list.Debian.j2 b/roles/common/templates/etc/apt/sources.list.Debian.j2 index 82c5856..5284dbb 100644 --- a/roles/common/templates/etc/apt/sources.list.Debian.j2 +++ b/roles/common/templates/etc/apt/sources.list.Debian.j2 @@ -1,10 +1,26 @@ -# {{ ansible_managed | comment }} +# {{ ansible_managed }} deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main -deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main -{{ '# ' if not apt_src_enable else '' }}deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main +{% if ansible_facts['distribution_major_version'] | int >= 11 %} +deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free +{% else %} +deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free +{% endif %} +{% if not apt_src_enable %} +{% if ansible_facts['distribution_major_version'] | int >= 11 %} +#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free +{% else %} +#deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free +{% endif %} +{% else %} +{% if ansible_facts['distribution_major_version'] | int >= 11 %} +deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free +{% else %} +deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free +{% endif %} +{% endif %} # {{ ansible_lsb.codename }}-updates, previously known as 'volatile' deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main diff --git a/roles/common/templates/etc/apt/sources.list.Ubuntu.j2 b/roles/common/templates/etc/apt/sources.list.Ubuntu.j2 new file mode 100644 index 0000000..896a6c5 --- /dev/null +++ b/roles/common/templates/etc/apt/sources.list.Ubuntu.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }} main restricted universe multiverse +deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-updates main restricted universe multiverse + +deb http://security.ubuntu.com/ubuntu {{ ansible_lsb.codename }}-security main restricted universe multiverse + +{% if apt_backports_enable %} +deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-backports main restricted universe multiverse +{% endif %} +