ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2019-06-28 02:28:50 +02:00
commit 21fcd86115
107 changed files with 8346 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
roles/common/tasks/apt.yml Normal file
View File

@ -0,0 +1,206 @@
---
- name: (apt.yml) update configuration file - /etc/apt/sources.list
template:
src: "etc/apt/sources.list.{{ ansible_distribution }}.j2"
dest: /etc/apt/sources.list
owner: root
group: root
mode: 0644
register: apt_config_updated
when: apt_manage_sources_list|bool
tags:
- apt-configuration
- name: (apt.yml) apt update
apt:
update_cache: true
cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
when: apt_update|bool
tags:
- apt-update
- apt-upgrade
- apt-dpkg-configure
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) dpkg --configure
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
tags:
- apt-dpkg-configure
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) apt upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade|bool
tags:
- apt-upgrade
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) Initial install debian packages (stretch)
apt:
name: "{{ apt_initial_install_stretch }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
tags:
- apt-initial-install
- name: (apt.yml) Initial install debian packages (buster)
apt:
name: "{{ apt_initial_install_buster }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
tags:
- apt-initial-install
- name: (apt.yml) Ensure we have CPU microcode from backports (debian stretch)
apt:
name: "{{ microcode_package }}"
state: present
default_release: "{{ ansible_distribution_release }}-backports"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-microcode
- name: (apt.yml) Install CPU microcode (debian buster)
apt:
name: "{{ microcode_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-microcode
- name: (apt.yml) Install lxc_host related packages
apt:
name: "{{ apt_lxc_host_pkgs }}"
state: "{{ apt_install_state }}"
when: apt_install_lxc_host_pkgs|bool
tags:
- apt-lxc-hosts-pkgs|bool
- name: (apt.yml) Install compiler related packages
apt:
name: "{{ apt_compiler_pkgs }}"
state: "{{ apt_install_state }}"
when: apt_install_compiler_pkgs|bool
tags:
- apt-compiler-pkgs|bool
- name: (apt.yml) Install postgresql_server related packages
apt:
name: "{{ apt_postgresql_pkgs }}"
state: "{{ apt_install_state }}"
when: apt_install_postgresql_pkgs|bool
tags:
- apt-postgresql-server-pkgs
- name: (apt.yml) Install webserver related packages
apt:
name: "{{ apt_webserver_pkgs }}"
state: "{{ apt_install_state }}"
when: apt_install_webserver_pkgs|bool
tags:
- apt-webserver-pkgs
- name: (apt.yml) Remove unwanted packages
apt:
name: "{{ apt_remove }}"
state: absent
purge: "{{ apt_remove_purge }}"
tags:
- apt-remove
- name: (apt.yml) autoremove
apt:
autoremove: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_autoremove|bool
tags:
- apt-autoremove
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) clean
command: apt-get -y clean
args:
warn: false
changed_when: false
when: apt_clean|bool
tags:
- apt-clean
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-mysql-server-pkgs
- apt-webserver-pkgs
# Fix error if install/update of repository mysql-/mariadb-client breaks
# link '/etc/mysql/my.cnf' in case mysql/mariadb was installed from source
#
- name: (apt.yml) Check if file '/usr/local/mysql/etc/my.cnf' exists
stat:
path: /usr/local/mysql/etc/my.cnf
register: usr_local_mysql_etc_my_cnf
when: groups['mysql_server']|string is search(inventory_hostname) or
groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nextcloud_server']|string is search(inventory_hostname)
tags:
- apt-webserver-pkgs
- apt-mysql-server-pkgs
- check_mysql_cnf
#- name: debug
# debug:
# msg:
# - usr_local_mysql_etc_my_cnf.stst.exists = {{ usr_local_mysql_etc_my_cnf.stat.exists }}
# - "Variable usr_local_mysql_etc_my_cnf: {{ usr_local_mysql_etc_my_cnf }}"
# tags:
# - check_mysql_cnf
- name: (apt.yml) Create a symbolic link /etc/my.cnf -> /usr/local/mysql/etc/my.cnf
file:
src: /usr/local/mysql/etc/my.cnf
dest: /etc/mysql/my.cnf
owner: root
group: root
state: link
when:
- (groups['mysql_server']|string is search(inventory_hostname) or
groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nextcloud_server']|string is search(inventory_hostname))
- usr_local_mysql_etc_my_cnf.stat.exists
tags:
- apt-webserver-pkgs
- apt-mysql-server-pkgs
- check_mysql_cnf

46
roles/common/tasks/basic.yml Normal file
View File

@ -0,0 +1,46 @@
---
- name: (basic.yml) Ensure timezone is is correct
timezone: name={{ time_zone }}
when: "inventory_hostname not in groups['lxc_guest']|string"
tags:
- timezone
- name: (basic.yml) Ensure locales are present
locale_gen:
name: "{{ item }}"
state: present
with_items: "{{ locales }}"
tags:
- locales
- name: (basic.yml) Create a symbolic link /bin/sh -> bash
file:
src: bash
dest: /bin/sh
owner: root
group: root
state: link
tags:
- symlink-sh
- name: (basic.yml) Check file '/etc/systemd/system.conf' exists
stat:
path: /etc/systemd/system
register: etc_systemd_system_conf
when:
- set_default_limit_nofile|bool == true
- name: (basic.yml) Change DefaultLimitNOFILE to 1048576
lineinfile:
dest: /etc/systemd/system.conf
state: present
regexp: '^DefaultLimitNOFILE'
line: 'DefaultLimitNOFILE=1048576'
insertafter: '^#DefaultLimitNOFILE'
when:
- set_default_limit_nofile|bool == true
- etc_systemd_system_conf.stat.exists == true
tags:
- systemd-nofiles

83
roles/common/tasks/caching-nameserver.yml Normal file
View File

@ -0,0 +1,83 @@
---
- name: (caching-nameserver.yml) update
apt:
update_cache: true
cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
when: apt_update|bool
tags:
- apt-caching-nameserver
- name: (caching-nameserver.yml) dpkg --configure
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
tags:
- apt-caching-nameserver
- name: (caching-nameserver.yml) upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade|bool
tags:
- apt-caching-nameserver
- name: (caching-nameserver.yml) Install bind9 packages
apt:
name: "{{ apt_bind9_pkgs }}"
state: present
when: apt_install_bind9_packages|bool == true
tags:
- apt-caching-nameserver
- name: (caching-nameserver.yml) Create directory /var/log/named if it does not exist
file:
path: /var/log/named
state: directory
owner: bind
group: bind
mode: '0755'
- name: (caching-nameserver.yml) update named.conf.options configuration file
template:
src: etc/bind/named.conf.options.j2
dest: /etc/bind/named.conf.options
backup: yes
owner: root
group: bind
mode: 0644
#validate: visudo -cf %s
tags:
- sudoers-global-configuration
- name: (caching-nameserver.yml) Add 127.0.0.1 as first nameserver entry to /etc/resolv.conf
lineinfile:
path: /etc/resolv.conf
line: nameserver 127.0.0.1
firstmatch: yes
insertbefore: '^nameserver'
state: present
owner: root
group: root
mode: '0644'
- name: (caching-nameserver.yml) Start service bind9, if not started
service:
name: bind9
state: reloaded
enabled: yes

237
roles/common/tasks/git.yml Normal file
View File

@ -0,0 +1,237 @@
---
- name: (git.yml) include variables
include_vars: "{{ item }}"
with_first_found:
- "git-{{ inventory_hostname }}.yml"
- "git-{{ ansible_distribution_release }}.yml"
- "git-{{ ansible_distribution | lower }}.yml"
- git-default.yml
tags:
- git-default-repositories
- git-lxc-guest-repositories
- git-apache2-repositories
- git-nginx-repositories
- git-mysql-server-repositories
- git-postgresql-server-repositories
- git-nextcloud-server-repositories
- git-dns-server-repositories
- git-backup-server-repositories
- git-samba-server-repositories
- git-mailservers-repositories
- git-sympa-repositories
- git-other-repositories
# ---
# Default reposotories
# ---
- name: (git.yml) Install/Update default repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_default_repositories }}'
tags:
- git-default-repositories
# ---
# Group [lxc_guest] reposotories
# ---
- name: (git.yml) Install/Update lxc_guest repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_lxc_guest_repositories }}'
when: "groups['lxc_guest']|string is search(inventory_hostname)"
tags:
- git-lxc-guest-repositories
# ---
# Group [lxc_host] reposotories
# ---
- name: (git.yml) Install/Update lxc_host repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_lxc_host_repositories }}'
when: "groups['lxc_host']|string is search(inventory_hostname)"
tags:
- git-lxc-host-repositories
# ---
# Group [apache2_webserver] reposotories
# ---
- name: (git.yml) Install/Update apache2 repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_apache2_repositories }}'
when: "groups['apache2_webserver']|string is search(inventory_hostname)"
tags:
- git-apache2-repositories
# ---
# Group [nginx_webserver] reposotories
# ---
- name: (git.yml) Install/Update nginx repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_nginx_repositories }}'
when: "groups['nginx_webserver']|string is search(inventory_hostname)"
tags:
- git-nginx-repositories
# ---
# Group [mysql_server] reposotories
# ---
- name: (git.yml) Install/Update mysql server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_mysql_repositories }}'
when: "groups['mysql_server']|string is search(inventory_hostname)"
tags:
- git-mysql-server-repositories
# ---
# Group [postgresql_server] reposotories
# ---
- name: (git.yml) Install/Update postgresql-server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_postgresql_repositories }}'
when: "groups['postgresql_server']|string is search(inventory_hostname)"
tags:
- git-postgresql-server-repositories
# ---
# Group [nextcloud_server] reposotories
# ---
- name: (git.yml) Install/Update nextcloud server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_nextcloud_repositories }}'
when: "groups['nextcloud_server']|string is search(inventory_hostname)"
tags:
- git-nextcloud-server-repositories
# ---
# Group [dns_server] reposotories
# ---
- name: (git.yml) Install/Update dns server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_dns_repositories }}'
when: "groups['dns_server']|string is search(inventory_hostname)"
tags:
- git-dns-server-repositories
# ---
# Group [backup_server] reposotories
# ---
- name: (git.yml) Install/Update backup server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_backup_repositories }}'
when: "groups['backup_server']|string is search(inventory_hostname)"
ignore_errors: True
tags:
- git-backup-server-repositories
# ---
# Group [samba_server] reposotories
# ---
- name: (git.yml) Install/Update samba server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_samba_repositories }}'
when: "groups['samba_server']|string is search(inventory_hostname)"
ignore_errors: True
tags:
- git-samba-server-repositories
# ---
# Group [mail_server] reposotories
# ---
#- name: include variables
# include_vars: "git-mailservers.yml"
# tags:
# - initial-setup
# - git
# - git-mailservers
- name: (git.yml) Install/Update default repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_mailserver_repositories }}'
when: "groups['mail_server']|string is search(inventory_hostname)"
tags:
- git-mailservers-repositories
# ---
# Group [sympa_list_servers] reposotories
# ---
- name: (git.yml) Install/Update sympa server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_sympa_repositories }}'
when: "groups['sympa_list_server']|string is search(inventory_hostname)"
tags:
- git-sympa-repositories
# ---
# Other (host specific) repositories
# ---
# Read in host specific vars file if exists
- name: (git.yml) Include only files matching git-<hostname>.yml (2.2)
include_vars:
dir: vars
extensions:
- yml
files_matching: "git-{{ inventory_hostname }}.yml"
tags:
- git-other-repositories
- name: (git.yml) Install/Update other repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_other_repositories }}'
tags:
- git-other-repositories

110
roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,110 @@
---
# tags supported inside basic.yml
#
# timezone
# locales
# systemd-nofiles
- import_tasks: basic.yml
tags:
- basic
# tags supported inside sshd.yml
#
# sshd-config
- import_tasks: sshd.yml
tags: sshd
# tags supported inside apt.yml
#
# apt-update
# apt-upgrade
# apt-dpkg-configure
# apt-initial-install
# apt-microcode
# apt-compiler-pkgs
# apt-webserver-pkgs
# apt-lxc-hosts-pkgs
# apt-mysql-server-pkgs
# apt-postgresql-server-pkgs
# apt-remove
# apt-autoremove
# apt-clean
- import_tasks: apt.yml
tags: apt
# tags supported inside users.yml:
#
# users-exists
# groups-exists
# authorized_key
# sudo-users
# insert-ssh-keypair-backup-server
# keypair-backup-server
# root-defaut-ssh-keypair
# insert_root_ssh_public_key
- import_tasks: users.yml
tags: users
# tags supported inside users-systemfiles.yml:
#
# bash
# profile
# vim
- import_tasks: users-systemfiles.yml
tags: users-systemfiles
# tags supported inside users.yml:
#
# users-exists
# groups-exists
# authorized_key
# sudo-users
# webadmin-defaut-ssh-keypair
# insert_webadmin_ssh_public_key
- import_tasks: webadmin-user.yml
when: groups['webadmin']|string is search(inventory_hostname)
tags:
- users
- users-systemfiles
- webadmin
# tags supported inside sudoers.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers.yml
tags: sudoers
# tags supportetd inside git.yml
#
# git-default-repositories
# git-lxc-guest-repositories
# git-apache2-repositories
# git-nginx-repositories
# git-mysql-server-repositories
# git-nextcloud-server-repositories
# git-postgresql-server-repositories
# git-dns-server-repositories
# git-backup-server-repositories
# git-mailservers-repositories
# git-sympa-repositories
# git-other-repositories
- import_tasks: git.yml
tags: git
# tags supportetd inside caching-nameserver.yml
#
# apt-caching-nameserver
- import_tasks: caching-nameserver.yml
when: groups['caching_nameserver']|string is search(inventory_hostname)
tags: caching-nameserver

28
roles/common/tasks/sshd.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
stat:
path: /etc/ssh/sshd_config.ORIG
register: etc_sshd_sshd_config_ORIG
tags:
- sshd-config
- name: (sshd.yml) Backup installation version of file '/etc/ssh/sshd_config'
command: cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
when: etc_sshd_sshd_config_ORIG.stat.exists == False
tags:
- sshd-config
- name: (sshd.yml) Create new sshd_config from template sshd_config.j2
template:
src: etc/ssh/sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
validate: 'sshd -f %s -T'
#backup: yes
notify: "Restart ssh"
tags:
- sshd-config

57
roles/common/tasks/sudoers.yml Normal file
View File

@ -0,0 +1,57 @@
---
- name: (sudoers.yml) include variables
include_vars: "{{ item }}"
with_first_found:
- "sudoers-{{ inventory_hostname }}.yml"
- "sudoers-{{ ansible_distribution_release }}.yml"
- "sudoers-{{ ansible_distribution | lower }}.yml"
- "sudoers-default.yml"
tags:
- sudoers-remove
- sudoers-file-configuration
- sudoers-global-configuration
- name: (sudoers.yml) Remove user entries in file /etc/sudoers
lineinfile:
dest: /etc/sudoers
state: absent
regexp: '^{{ item }}'
owner: root
group: root
mode: 0440
validate: visudo -cf %s
with_items: '{{ sudoers_remove_user }}'
tags:
- sudoers-remove
- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.j2
dest: /etc/sudoers.d/50-user
#validate: visudo -cf %s
owner: root
group: root
mode: 0440
tags:
- sudoers-file-configuration
- name: (sudoers.yml) update global sudoers configuration file
template:
src: etc/sudoers.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
#validate: visudo -cf %s
tags:
- sudoers-global-configuration
- name: (sudoers.yml) Ensure all sudo_users are in sudo group
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudo_users }}"
tags:
- sudo-users

139
roles/common/tasks/users-systemfiles.yml Normal file
View File

@ -0,0 +1,139 @@
---
# --
# Copy .bashrc
# ---
- name: (users-systemfiles.yml) Check if users file '.bashrc.ORIG' exists
stat:
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_user_orig_exists
with_items: "{{ default_user }}"
tags:
- bash
- name: (users-systemfiles.yml) Backup existing users .bashrc file
command: cp ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
with_items: "{{ bashrc_user_orig_exists.results }}"
when: item.stat.exists == False
tags:
- bash
- name: (users-systemfiles.yml) copy .bashrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_bashrc') }}"
dest: "~{{ item.name }}/.bashrc"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
with_items: "{{ default_user }}"
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_bashrc')
tags:
- bash
- name: (users-systemfiles.yml) Check if file '/root/.bashrc.ORIG' exists
stat:
path: /root/.bashrc.ORIG
register: bashrc_root_orig_exists
tags:
- bash
- name: (users-systemfiles.yml) Backup /root/.bashrc file
command: cp /root/.bashrc /root/.bashrc.ORIG
when: bashrc_root_orig_exists.stat.exists == False
tags:
- bash
- name: (users-systemfiles.yml) copy .bashrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc') }}"
dest: "/root/.bashrc"
owner: root
group: root
mode: 0644
when: lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc')
tags:
- bash
# --
# Copy .profile
# ---
- name: (users-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
with_items: "{{ default_user }}"
tags:
- profile
- name: (users-systemfiles.yml) Backup existing users .profile file
command: cp ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
with_items: "{{ profile_user_orig_exists.results }}"
when: item.stat.exists == False
tags:
- profile
- name: (users-systemfiles.yml) copy .profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_profile') }}"
dest: "~{{ item.name }}/.profile"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
with_items: "{{ default_user }}"
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_profile')
tags:
- profile
- name: (users-systemfiles.yml) Check if file '/root/.profile.ORIG' exists
stat:
path: /root/.profile.ORIG
register: profile_root_orig_exists
tags:
- profile
- name: (users-systemfiles.yml) Backup existing users .profile file
command: cp -a /root/.profile /root/.profile.ORIG
when: profile_root_orig_exists.stat.exists == False
tags:
- profile
- name: (users-systemfiles.yml) copy .profile for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile') }}"
dest: "/root/.profile"
owner: root
group: root
mode: 0644
when: lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile')
tags:
- profile
# --
# Copy .vimrc
# ---
- name: (users-systemfiles.yml) copy .vimrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_vimrc') }}"
dest: "~{{ item.name }}/.vimrc"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
with_items: "{{ default_user }}"
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_vimrc')
tags:
- vim
- name: (users-systemfiles.yml) copy .vimrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc') }}"
dest: "/root/.vimrc"
owner: root
group: root
mode: 0644
when: lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc')
tags:
- vim

180
roles/common/tasks/users.yml Normal file
View File

@ -0,0 +1,180 @@
---
# ---
# - default user/groups
# ---
- name: (users.yml) Ensure default groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
with_items: '{{ default_user }}'
when: item.group_id is defined
tags:
- groups-exists
- name: (users.yml) Ensure default users exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
group: '{{ item.name | default(omit) }}'
home: '{{ item.home | default(omit) }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password }}"
update_password: on_create
with_items: '{{ default_user }}'
tags:
- users-exists
- name: (users.yml) Ensure authorized_key files for default users are present
authorized_key:
user: "{{ item.0.name }}"
key: "{{ item.1 }}"
state: present
with_subelements:
- '{{ default_user }}'
- ssh_keys
tags:
- authorized_key
# ---
# - extra user/groups
# ---
- name: (users.yml) Ensure extra groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
with_items: '{{ extra_user }}'
when:
- extra_user is defined and extra_user|length > 0
- item.group_id is defined
tags:
- groups-exists
- name: (users.yml) Ensure extra users exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
group: '{{ item.name | default(omit) }}'
home: '{{ item.home | default(omit) }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password }}"
update_password: on_create
with_items: '{{ extra_user }}'
when: extra_user is defined and extra_user|length > 0
tags:
- users-exists
- name: (users.yml) Ensure authorized_key files for extra users are present
authorized_key:
user: "{{ item.0.name }}"
key: "{{ item.1 }}"
state: present
with_subelements:
- '{{ extra_user }}'
- ssh_keys
when: extra_user is defined and extra_user|length > 0
tags:
- authorized_key
# ---
# - Take care backup host has rsa key to connect via ssh to the other hosts
# ---
- name: (users.yml) Copy ssh rsa private key to user root of backup server
copy:
src: '{{ item.priv_key_src }}'
dest: '{{ item.priv_key_dest }}'
owner: root
group: root
mode: '0600'
with_items: '{{ ssh_keypair_backup_server }}'
when:
- ssh_keypair_backup_server is defined and ssh_keypair_backup_server|length > 0
- insert_ssh_keypair_backup_server|bool
tags:
- insert-ssh-keypair-backup-server
- keypair-backup-server
- name: (users.yml) Copy ssh rsa public key to user root of backup server
copy:
src: '{{ item.pub_key_src }}'
dest: '{{ item.pub_key_dest }}'
owner: root
group: root
mode: '0644'
with_items: '{{ ssh_keypair_backup_server }}'
when:
- ssh_keypair_backup_server is defined and ssh_keypair_backup_server|length > 0
- insert_ssh_keypair_backup_server|bool
tags:
- insert-ssh-keypair-backup-server
- keypair-backup-server
- name: (users.yml) Ensure user back has public rsa key of backup server
authorized_key:
user: "{{ item.backup_user }}"
key: "{{ lookup('file', item.pub_key_src) }}"
state: present
with_items: '{{ ssh_keypair_backup_server }}'
when: ssh_keypair_backup_server is defined and ssh_keypair_backup_server|length > 0
tags:
- authorized_key
- keypair-backup-server
# ---
# - Allow connection via ssh to backup host
# ---
- name: (users.yml) Copy default ed25519 ssh private key to user root
copy:
src: '{{ item.priv_key_src }}'
dest: '{{ item.priv_key_dest }}'
owner: root
group: root
mode: '0600'
#when: groups['oopen_server']|string is search(inventory_hostname)
when:
- insert_root_ssh_keypair|bool
- groups['backup_server']|string is not search(inventory_hostname)
with_items: '{{ root_ssh_keypair }}'
tags:
- insert_root_ssh_keypair
- root-defaut-ssh-keypair
- name: (users.yml) Copy default ed25519 ssh public key to user root
copy:
src: '{{ item.pub_key_src }}'
dest: '{{ item.pub_key_dest }}'
owner: root
group: root
mode: '0644'
with_items: '{{ root_ssh_keypair }}'
#when: groups['oopen_server']|string is search(inventory_hostname)
when:
- insert_root_ssh_keypair|bool
- groups['backup_server']|string is not search(inventory_hostname)
tags:
- insert_root_ssh_keypair
- root-defaut-ssh-keypair
- name: (users.yml) Ensure authorized_key (root) on backup hosts contains public key
authorized_key:
user: root
key: "{{ lookup('file', item.pub_key_src) }}"
state: present
with_items: '{{ root_ssh_keypair }}'
when: inventory_hostname == item.target
tags:
- authorized_key
- root-defaut-ssh-keypair

196
roles/common/tasks/webadmin-user.yml Normal file
View File

@ -0,0 +1,196 @@
---
# ---
# - webadmin user/group
# ---
- name: (webadmin-user.yml) Ensure webadmin group exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
with_items: '{{ webadmin_user }}'
when:
- groups['webadmin']|string is search(inventory_hostname)
- webadmin_user is defined
- item.group_id is defined
tags:
- webadmin
- groups-exists
- name: (webadmin-user.yml) Ensure webadmin user exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
group: '{{ item.name | default(omit) }}'
home: '{{ item.home | default(omit) }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password }}"
update_password: on_create
with_items: '{{ webadmin_user }}'
when:
- groups['webadmin']|string is search(inventory_hostname)
- webadmin_user is defined
tags:
- webadmin
- users-exists
- name: (webadmin-user.yml) Ensure authorized_key files for webadmin user is present
authorized_key:
user: "{{ item.0.name }}"
key: "{{ item.1 }}"
state: present
with_subelements:
- '{{ webadmin_user }}'
- ssh_keys
when:
- groups['webadmin']|string is search(inventory_hostname)
- webadmin_user is defined
tags:
- webadmin
- authorized_key
- name: (webadmin-user.yml) Copy default ed25519 ssh private key to user webadmin
copy:
src: '{{ item.priv_key_src }}'
dest: '{{ item.priv_key_dest }}'
owner: '{{ item.login }}'
group: '{{ item.login }}'
mode: '0600'
#when: groups['oopen_server']|string is search(inventory_hostname)
when:
- insert_webadmin_ssh_keypair|bool
with_items: '{{ webadmin_ssh_keypair }}'
tags:
- webadmin
- webadmin-defaut-ssh-keypair
- name: (webadmin-user.yml) Copy default ssh key ed25519 public key to user webadmin
copy:
src: '{{ item.pub_key_src }}'
dest: '{{ item.pub_key_dest }}'
owner: '{{ item.login }}'
group: '{{ item.login }}'
mode: '0644'
with_items: '{{ webadmin_ssh_keypair }}'
when:
- insert_webadmin_ssh_keypair|bool
tags:
- webadmin
- webadmin-defaut-ssh-keypair
- name: (webadmin-user.yml) Ensure .ssh/config of user webadmin is up-to-date
template:
src: var/www/.ssh/config.j2
dest: '~webadmin/.ssh/config'
owner: webadmin
group: webadmin
mode: '0644'
when:
- insert_webadmin_ssh_keypair|bool
tags:
- webadmin
- webadmin-defaut-ssh-keypair
# devel-repos contains SVN repositiries; webadmin must have ssh access to
# to webadmin at devel-repos to manage SVN repository
#
- name: (webadmin-user.yml) Ensure authorized_key on devel-repos hosts contains public key
authorized_key:
user: "{{ item.login }}"
key: "{{ lookup('file', item.pub_key_src) }}"
state: present
with_items: '{{ webadmin_ssh_keypair }}'
when: inventory_hostname == item.target
tags:
- webadmin
- authorized_key
- insert_webadmin_ssh_public_key
# --
# Copy .bashrc
# ---
- name: (webadmin-user.yml) Check if webadmin's file '.bashrc.ORIG' exists
stat:
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_webadmin_orig_exists
with_items: "{{ webadmin_user }}"
tags:
- webadmin
- bash
- name: (webadmin-user.yml) Backup existing webadmin's .bashrc file
command: cp ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
with_items: "{{ bashrc_webadmin_orig_exists.results }}"
when: item.stat.exists == False
tags:
- webadmin
- bash
- name: (webadmin-user.yml) copy new .bashrc ifor webadmin if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_bashrc') }}"
dest: "~{{ item.name }}/.bashrc"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
with_items: "{{ webadmin_user }}"
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_bashrc')
tags:
- webadmin
- bash
# --
# Copy .profile
# ---
- name: (webadmin-user.yml) Check if webadmin's file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_webadmin_orig_exists
with_items: "{{ webadmin_user }}"
tags:
- webadmin
- profile
- name: (webadmin-user.yml) Backup existing users .profile file
command: cp ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
with_items: "{{ profile_webadmin_orig_exists.results }}"
when: item.stat.exists == False
tags:
- webadmin
- profile
- name: (webadmin-user.yml) copy .profile for user webadmin if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_profile') }}"
dest: "~{{ item.name }}/.profile"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
with_items: "{{ webadmin_user }}"
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_profile')
tags:
- webadmin
- profile
# --
# Copy .vimrc
# ---
- name: (webadmin-user.yml) copy .vimrc for user webadmin if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_vimrc') }}"
dest: "~{{ item.name }}/.vimrc"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
with_items: "{{ webadmin_user }}"
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_vimrc')
tags:
- webadmin
- vim