update..

roles/common/tasks/basic.yml

@@ -28,53 +28,178 @@
     - symlink-sh
 
 
-- name: (basic.yml) Check file '/etc/systemd/system.conf' exists
-  stat:
-    path: /etc/systemd/system
-  register: etc_systemd_system_conf
+# ----------
+# security limit (maybe DEPRECATED see systemd settings)
+# ----------
+
+- name: (basic.yml) Ensure directory '/etc/security/limits.d' exists
+  file:
+    path: /etc/security/limits.d
+    state: directory
+    mode: 0755
+    group: root
+    owner: root
   when:
-    - set_default_limit_nofile|bool == true
+    - inventory_hostname in groups['file_server']
+    - copy_plain_files_security_limits is defined
+    - copy_plain_files_security_limits|length > 0
+  tags:
+    - systemd-config
 
-
-- name: (basic.yml) Change DefaultLimitNOFILE to 1048576
-  lineinfile:
-    dest: /etc/systemd/system.conf
-    state: present
-    regexp: '^DefaultLimitNOFILE'
-    line: 'DefaultLimitNOFILE=1048576'
-    insertafter: '^#DefaultLimitNOFILE'
+- name: (basic.yml) Ensure files /etc/security/limits.d/*.conf exists
+  copy:
+    src: '{{ item.src_path }}'
+    dest: '{{ item.dest_path }}'
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ copy_plain_files_security_limits }}"
+  loop_control:
+    label: 'dest: {{ item.name }}'
   when:
-    - set_default_limit_nofile|bool == true
-    -  etc_systemd_system_conf.stat.exists == true
+    - inventory_hostname in groups['file_server']
+    - copy_plain_files_security_limits is defined
+    - copy_plain_files_security_limits|length > 0
   tags:
-    - systemd-nofiles
+    - systemd-config
 
 
-- name: (basic.yml) Check file '/etc/security/limits.conf.ORIG' exists
-  stat:
-    path: /etc/security/limits.conf.ORIG
-  register: etc_security_limits_conf_ORIG
+# ----------
+# systemd stuff
+# ----------
+
+- name: (basic.yml) Ensure directory '/etc/systemd/system.conf.d' exists
+  file:
+    path: /etc/systemd/system.conf.d
+    state: directory
+    mode: 0755
+    group: root
+    owner: root
+  when:
+    - inventory_hostname in groups['file_server']
+    - copy_plain_files_systemd is defined
+    - copy_plain_files_systemd|length > 0
   tags:
-    - limits-conf
+    - systemd-config
 
-- name: (basic.yml) Backup installation version of file '/etc/security/limits.conf'
-  command: cp -a /etc/security/limits.conf /etc/security/limits.conf.ORIG
-  when: etc_security_limits_conf_ORIG.stat.exists == False
+- name: (basic.yml) Ensure files /etc/systemd/system.conf.d/*.conf exists
+  copy:
+    src: '{{ item.src_path }}'
+    dest: '{{ item.dest_path }}'
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ copy_plain_files_systemd }}"
+  loop_control:
+    label: 'dest: {{ item.name }}'
+  when:
+    - inventory_hostname in groups['file_server']
+    - copy_plain_files_systemd is defined
+    - copy_plain_files_systemd|length > 0
   tags:
-    - limits-conf
+    - systemd-config
+
+- name: (basic.yml) Ensure directory '/etc/systemd/journald.conf.d' exists
+  file:
+    path: /etc/systemd/journald.conf.d
+    state: directory
+    mode: 0755
+    group: root
+    owner: root
+  when:
+    - copy_plain_files_journald is defined
+    - copy_plain_files_journald|length > 0
+  tags:
+    - systemd-config
+
+- name: (basic.yml) Ensure files /etc/systemd/journald.conf.d/*.conf exists
+  copy:
+    src: '{{ item.src_path }}'
+    dest: '{{ item.dest_path }}'
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ copy_plain_files_journald }}"
+  loop_control:
+    label: 'dest: {{ item.name }}'
+  notify: "Restart systemd-journald"
+  when:
+    - copy_plain_files_journald is defined
+    - copy_plain_files_journald|length > 0
+  tags:
+    - systemd-config
 
 
-- name: (basic.yml) Create new sshd_config from template limits.conf.j2
+# ----------
+# unattended upgrades
+# ----------
+
+- name: (basic.yml) install unattended-upgrades
+  apt: pkg=unattended-upgrades state=present
+  when:
+    - ansible_facts['distribution'] == "Debian"
+  tags:
+    - unattended-upgrades
+
+- name: (basic.yml) install apt-listchanges
+  apt: pkg=apt-listchanges state=present
+  when:
+    - ansible_facts['distribution'] == "Debian"
+  tags:
+    - unattended-upgrades
+
+- name: (basic.yml) remove apticron
+  apt: pkg=apticron state=absent
+  when:
+    - ansible_facts['distribution'] == "Debian"
+  tags:
+    - unattended-upgrades
+
+- name: (basic.yml) check if /etc/apt/apt.conf.d/20auto-upgrades exists
+  stat: path=/etc/apt/apt.conf.d/20auto-upgrades
+  register: ua_enabled
+  when:
+    - ansible_facts['distribution'] == "Debian"
+  tags:
+    - unattended-upgrades
+
+- name: (basic.yml) activate unattended upgrades
+  shell: DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure -plow unattended-upgrades
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ua_enabled.stat.exists == False
+  tags:
+    - unattended-upgrades
+
+- name: (basic.yml) copy apt-listchanges.conf
   template:
-    src: etc/security/limits.conf.j2
-    dest: /etc/security/limits.conf
+    src: etc/apt/listchanges.conf.j2
+    dest: /etc/apt/listchanges.conf
     owner: root
     group: root
     mode: 0644
+  when:
+    - ansible_facts['distribution'] == "Debian"
   tags:
-    - limits-conf
+    - unattended-upgrades
 
+- name: (basic.yml) copy unattended-upgrades conf
+  template:
+    src: etc/apt/apt.conf.d/50unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    backup: yes
+    owner: root
+    group: root
+    mode: 0644
+  when:
+    - ansible_facts['distribution'] == "Debian"
+  tags:
+    - unattended-upgrades
+
+
+# ----------
 # - /etc/hosts
+# ----------
 
 - name: (basic.yml) Check file '/etc/hosts.ORIG' exists
   stat: