ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

get rid of deprecated code.

Browse Source
This commit is contained in:
Christoph
2026-02-01 12:30:58 +01:00
parent 1feef826b7
commit 4e06ed01aa
15 changed files with 162 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
group_vars/all/main.yml
View File

@@ -745,7 +745,6 @@ apt_initial_install_trixie:
- patchutils - patchutils
- perl - perl
- perl-doc - perl-doc
- perl-modules
- psmisc - psmisc
- quota - quota
- quotatool - quotatool

37
hosts
View File

@@ -2,13 +2,24 @@ formbricks-nd.oopen.de
#[so36_server_dehydrated] #[so36_server_dehydrated]
#comm.so36.net ansible_user=ckubu #comm.so36.net ansible_user=ckubu
#noc.so36.net ansible_user=ckubu #noc.so36.net ansible_user=ckubu
rage.so36.net ansible_user=ckubu
#rubyhost.so36.net ansible_user=ckubu #rubyhost.so36.net ansible_user=ckubu
#sympa.so36.net ansible_user=ckubu #sympa.so36.net ansible_user=ckubu
#schleuder3.so36.net ansible_user=ckubu #schleuder3.so36.net ansible_user=ckubu
#site36.net ansible_user=ckubu #site36.net ansible_user=ckubu
#web.so36.net ansible_user=ckubu #web.so36.net ansible_user=ckubu
[so36_server] [so36_server]
backup.so36.net ansible_user=ckubu
comm.so36.net ansible_user=ckubu
devnull.so36.net ansible_user=ckubu
ns.so36net.de ansible_user=ckubu
rage.so36.net ansible_user=ckubu
resolver-b.so36.net ansible_user=ckubu
resolver-a.so36.net ansible_user=ckubu
schleuder3.so36.net ansible_user=ckubu
shell.so36.net ansible_user=ckubu
site36.net ansible_user=ckubu
sympa.so36.net ansible_user=ckubu
web.so36.net ansible_user=ckubu
#kvm05.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 #kvm05.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036
#kvm13.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 #kvm13.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036
@@ -19,14 +30,12 @@ lxc-host-kb.anw-kb.netz
o13-git.oopen.de o13-git.oopen.de
o13-staging-board.oopen.de o13-staging-board.oopen.de
o25.oopen.de o25.oopen.de
o33.oopen.de
o41.oopen.de o41.oopen.de
dc-opp.oopen.de dc-opp.oopen.de
discourse.oopen.de discourse.oopen.de
test-nd.oopen.de test-nd.oopen.de
formbricks-nd.oopen.de formbricks-nd.oopen.de
cl-lubax.oopen.de
ga-st-mm.ga.netz
[dns_sinma] [dns_sinma]
@@ -55,6 +64,7 @@ gw-irights.oopen.de
gw-km.oopen.de gw-km.oopen.de
gw-mbr.oopen.de gw-mbr.oopen.de
gw-opp.oopen.de gw-opp.oopen.de
gw-opp-neu.opp.netz
gw-spr.oopen.de gw-spr.oopen.de
gw-kb.oopen.de gw-kb.oopen.de
@@ -86,7 +96,6 @@ ga-gh-gw.oopen.de
gw-campus.oopen.de gw-campus.oopen.de
ga-st-lxc1.ga.netz ga-st-lxc1.ga.netz
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-st-kvm1.ga.netz ga-st-kvm1.ga.netz
ga-al-kvm2.ga.netz ga-al-kvm2.ga.netz
@@ -218,7 +227,6 @@ web.cadus.org
cl-lubax.oopen.de cl-lubax.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -398,7 +406,6 @@ mm-migration.oopen.de
o24.oopen.de o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
ga-st-mm.ga.netz
# IL - PAD # IL - PAD
o25.oopen.de o25.oopen.de
@@ -432,7 +439,6 @@ web.cadus.org
cl-lubax.oopen.de cl-lubax.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -569,6 +575,7 @@ gw-mbr.oopen.de
# OPP # OPP
gw-opp.oopen.de gw-opp.oopen.de
gw-opp-neu.opp.netz
zapata.opp.netz zapata.opp.netz
# Sprachenatelier # Sprachenatelier
@@ -588,7 +595,6 @@ gw-campus.oopen.de
ga-st-lxc1.ga.netz ga-st-lxc1.ga.netz
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-st-services.ga.netz ga-st-services.ga.netz
ga-al-ws1.ga.netz ga-al-ws1.ga.netz
@@ -877,7 +883,6 @@ mm-migration.oopen.de
# o24.oopen.de # o24.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
ga-st-mm.ga.netz
# Hetzner Cloud CX31 - AK # Hetzner Cloud CX31 - AK
@@ -918,7 +923,6 @@ web-nd.oopen.de
# GA - Gemeinschaft Altensclirf # GA - Gemeinschaft Altensclirf
ga-st-services.ga.netz ga-st-services.ga.netz
ga-st-mm.ga.netz
# --- # ---
# Warenform server # Warenform server
@@ -1012,7 +1016,6 @@ mm-migration.oopen.de
# o24.oopen.de # o24.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
ga-st-mm.ga.netz
# o27.oopen.de # o27.oopen.de
mail.faire-mobilitaet.de mail.faire-mobilitaet.de
@@ -1037,7 +1040,6 @@ g.mx.oopen.de
# - GA - Gemeinschaft Altensclirf # - GA - Gemeinschaft Altensclirf
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
# --- # ---
@@ -1074,7 +1076,7 @@ stolpersteine.oopen.de
# o13.oopen.de # o13.oopen.de
o13-staging-board.oopen.de o13-staging-board.oopen.de
o13-mail.oopen.de #o13-mail.oopen.de
o13-web.oopen.de o13-web.oopen.de
# Freiheit für daniela # Freiheit für daniela
@@ -1110,7 +1112,6 @@ mm-migration.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
ga-st-mm.ga.netz
# Hetzner Cloud CX31 - AK # Hetzner Cloud CX31 - AK
@@ -1603,7 +1604,6 @@ mm-migration.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
ga-st-mm.ga.netz
# - o27.oopen.de # - o27.oopen.de
cl-fm.oopen.de cl-fm.oopen.de
@@ -1619,7 +1619,6 @@ meet.akweb.de
cloud.akweb.de cloud.akweb.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -1686,7 +1685,6 @@ zapata.opp.netz
# - GA - Gemeinschaft Altensclirf # - GA - Gemeinschaft Altensclirf
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-st-services.ga.netz ga-st-services.ga.netz
@@ -1844,7 +1842,6 @@ web.cadus.org
cl-lubax.oopen.de cl-lubax.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -1903,7 +1900,6 @@ web-nd.oopen.de
test-nd.oopen.de test-nd.oopen.de
# Gemeinchaft Altenschlirf # Gemeinchaft Altenschlirf
ga-st-mm.ga.netz
lxc-host-kb.anw-kb.netz lxc-host-kb.anw-kb.netz
@@ -1955,6 +1951,7 @@ gw-irights.oopen.de
gw-km.oopen.de gw-km.oopen.de
gw-mbr.oopen.de gw-mbr.oopen.de
gw-opp.oopen.de gw-opp.oopen.de
gw-opp-neu.opp.netz
gw-spr.oopen.de gw-spr.oopen.de
gw-kb.oopen.de gw-kb.oopen.de

1
modify-ipt-server.yml
View File

@@ -4,5 +4,6 @@
- hosts: - hosts:
- oopen_server - oopen_server
- warenform_server - warenform_server
- so36_server
roles: roles:
- modify-ipt-server - modify-ipt-server

10
roles/common/tasks/apt.yml
View File

@@ -167,7 +167,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}-backports" default_release: "{{ ansible_facts['distribution_release'] }}-backports"
when: when:
- ansible_facts['distribution'] == "Debian" - ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9" - ansible_facts['distribution_major_version'] == "9"
@@ -181,7 +181,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}" default_release: "{{ ansible_facts['distribution_release'] }}"
when: when:
- ansible_facts['distribution'] == "Debian" - ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" or ansible_facts['distribution_major_version'] == "12" or ansible_facts['distribution_major_version'] == "13" - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" or ansible_facts['distribution_major_version'] == "12" or ansible_facts['distribution_major_version'] == "13"
@@ -195,7 +195,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}" default_release: "{{ ansible_facts['distribution_release'] }}"
when: when:
- ansible_facts['distribution'] == "Ubuntu" - ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic" - ansible_facts['distribution_release'] == "bionic"
@@ -209,7 +209,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}" default_release: "{{ ansible_facts['distribution_release'] }}"
when: when:
- ansible_facts['distribution'] == "Ubuntu" - ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial" - ansible_facts['distribution_release'] == "xenial"
@@ -223,7 +223,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}" default_release: "{{ ansible_facts['distribution_release'] }}"
when: when:
- ansible_facts['distribution'] == "Ubuntu" - ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "jammy" - ansible_facts['distribution_release'] == "jammy"

8
roles/common/tasks/main.yml
View File

@@ -51,8 +51,8 @@
# yum-initial-install # yum-initial-install
- import_tasks: yum.yml - import_tasks: yum.yml
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" or ansible_distribution == "Fedora" - ansible_facts.distribution == "CentOS" or ansible_facts.distribution == "Fedora"
tags: yum tags: yum
@@ -293,14 +293,14 @@
- import_tasks: systemd-services_debian_based_OS.yml - import_tasks: systemd-services_debian_based_OS.yml
when: when:
- ansible_os_family == "Debian" - ansible_facts.os_family == "Debian"
tags: tags:
- services - services
- import_tasks: systemd-services_redhat_based_OS.yml - import_tasks: systemd-services_redhat_based_OS.yml
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
tags: tags:
- services - services

4
roles/common/tasks/nfs.yml
View File

@@ -11,7 +11,7 @@
- nfs-kernel-server - nfs-kernel-server
state: present state: present
when: when:
- ansible_os_family == "Debian" - ansible_facts['os_family'] == "Debian"
- "groups['nfs_server']|string is search(inventory_hostname)" - "groups['nfs_server']|string is search(inventory_hostname)"
tags: tags:
- nfs-server - nfs-server
@@ -132,7 +132,7 @@
pkg: nfs-common pkg: nfs-common
state: present state: present
when: when:
- ansible_os_family == "Debian" - ansible_facts['os_family'] == "Debian"
- "groups['nfs_client']|string is search(inventory_hostname)" - "groups['nfs_client']|string is search(inventory_hostname)"
tags: tags:
- nfs-client - nfs-client

6
roles/common/tasks/ntp.yml
View File

@@ -10,7 +10,7 @@
- ntpsec - ntpsec
state: present state: present
when: when:
- ansible_os_family == "Debian" - ansible_facts.os_family == "Debian"
tags: tags:
- ntp-server - ntp-server
@@ -19,7 +19,7 @@
path: /etc/ntpsec/ntp.conf.ORIG path: /etc/ntpsec/ntp.conf.ORIG
register: etc_ntpsec_conf_ORIG register: etc_ntpsec_conf_ORIG
when: when:
- ansible_distribution == "Debian" - ansible_facts.distribution == "Debian"
tags: tags:
- ntp-server - ntp-server
@@ -32,7 +32,7 @@
group: ntpsec group: ntpsec
mode: '0755' mode: '0755'
when: when:
- ansible_distribution == "Debian" - ansible_facts.distribution == "Debian"
- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf' - name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'

8
roles/common/tasks/redis-server.yml
View File

@@ -80,8 +80,8 @@
- "'www-data' in my_users" - "'www-data' in my_users"
- "'redis' in my_groups" - "'redis' in my_groups"
vars: vars:
my_users: "{{ getent_passwd.keys()|list }}" my_users: "{{ ansible_facts.getent_passwd.keys()|list }}"
my_groups: "{{ getent_group.keys()|list }}" my_groups: "{{ ansible_facts.getent_group.keys()|list }}"
tags: tags:
- redis-server - redis-server
@@ -94,8 +94,8 @@
- "'webadmin' in my_users" - "'webadmin' in my_users"
- "'redis' in my_groups" - "'redis' in my_groups"
vars: vars:
my_users: "{{ getent_passwd.keys()|list }}" my_users: "{{ ansible_facts.getent_passwd.keys()|list }}"
my_groups: "{{ getent_group.keys()|list }}" my_groups: "{{ ansible_facts.getent_group.keys()|list }}"
tags: tags:
- redis-server - redis-server

3
roles/common/tasks/samba-user.yml
View File

@@ -42,7 +42,8 @@
loop_control: loop_control:
label: '{{ item.name }}' label: '{{ item.name }}'
when: when:
- item.name not in getent_passwd - ansible_facts.getent_passwd is defined
- item.name not in ansible_facts.getent_passwd
tags: tags:
- samba-server - samba-server
- samba-user - samba-user

4
roles/common/tasks/show.yml
View File

@@ -2,6 +2,6 @@
- name: Show hostname - name: Show hostname
debug: debug:
msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] }}.{{ ansible_fqdn.split('.')[1] | default('NONE') }}.{{ ansible_fqdn.split('.')[2] | default('NONE') }}" msg: "Host: {{ ansible_facts.fqdn | split('.') | first }} FQDN: {{ ansible_facts.fqdn.split('.')[0] }}.{{ ansible_facts.fqdn.split('.')[1] | default('NONE') }}.{{ ansible_facts.fqdn.split('.')[2] | default('NONE') }}"
# msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] | join( '.') }} | {{ join ( ansible_fqdn.split('.')[1] ) }}" # msg: "Host: {{ ansible_facts.fqdn | split('.') | first }} FQDN: {{ ansible_facts.fqdn.split('.')[0] | join( '.') }} | {{ join ( ansible_facts.fqdn.split('.')[1] ) }}"

4
roles/common/tasks/systemd-services_redhat_based_OS.yml
View File

@@ -8,7 +8,7 @@
with_items: with_items:
- "{{ redhat_services_active_and_started }}" - "{{ redhat_services_active_and_started }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
#- debug: msg="{{ service_exists.results }}" #- debug: msg="{{ service_exists.results }}"
@@ -23,7 +23,7 @@
label: '{{ item.item }}' label: '{{ item.item }}'
when: when:
- item.rc == 0 - item.rc == 0
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
#- debug: msg="{{ service_is_enabled.results }}" #- debug: msg="{{ service_is_enabled.results }}"

2
roles/common/tasks/tor.yml
View File

@@ -6,7 +6,7 @@
- tor - tor
state: present state: present
when: when:
- ansible_os_family == "Debian" - ansible_facts.os_family == "Debian"
tags: tags:
- tor-service - tor-service

64
roles/common/tasks/yum.yml
View File

@@ -7,8 +7,8 @@
update_cache: yes update_cache: yes
#cache_valid_time: 3600 #cache_valid_time: 3600
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" or ansible_distribution == "Fedora" - ansible_facts.distribution == "CentOS" or ansible_facts.distribution == "Fedora"
tags: tags:
- yum-update - yum-update
@@ -18,8 +18,8 @@
name: epel-release name: epel-release
state: latest state: latest
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
# Its more eficient to in # Its more eficient to in
@@ -28,9 +28,9 @@
name: "{{ yum_base_install_centos_7 }}" name: "{{ yum_base_install_centos_7 }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- ansible_distribution_major_version == "7" - ansible_facts.distribution_major_version == "7"
tags: tags:
- yum-base-install - yum-base-install
@@ -39,9 +39,9 @@
name: "{{ yum_initial_install_centos_7 }}" name: "{{ yum_initial_install_centos_7 }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- ansible_distribution_major_version == "7" - ansible_facts.distribution_major_version == "7"
tags: tags:
- yum-initial-install - yum-initial-install
@@ -52,9 +52,9 @@
name: "{{ yum_base_install_fedora_38 }}" name: "{{ yum_base_install_fedora_38 }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- ansible_distribution_major_version == "38" - ansible_facts.distribution_major_version == "38"
tags: tags:
- yum-base-install - yum-base-install
@@ -63,9 +63,9 @@
name: "{{ yum_initial_install_fedora_38 }}" name: "{{ yum_initial_install_fedora_38 }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- ansible_distribution_major_version == "38" - ansible_facts.distribution_major_version == "38"
tags: tags:
- yum-initial-install - yum-initial-install
@@ -75,8 +75,8 @@
name: "{{ yum_lxc_host_pkgs_centos }}" name: "{{ yum_lxc_host_pkgs_centos }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- groups['lxc_host']|string is search(inventory_hostname) - groups['lxc_host']|string is search(inventory_hostname)
tags: tags:
- yum-lxc-hosts-pkgs - yum-lxc-hosts-pkgs
@@ -86,8 +86,8 @@
name: "{{ yum_lxc_host_pkgs_fedora }}" name: "{{ yum_lxc_host_pkgs_fedora }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- groups['lxc_host']|string is search(inventory_hostname) - groups['lxc_host']|string is search(inventory_hostname)
tags: tags:
- yum-lxc-hosts-pkgs - yum-lxc-hosts-pkgs
@@ -98,8 +98,8 @@
name: "{{ yum_postgresql_pkgs_centos }}" name: "{{ yum_postgresql_pkgs_centos }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- install_postgresql_pkgs|bool - install_postgresql_pkgs|bool
tags: tags:
- apt-postgresql-server-pkgs - apt-postgresql-server-pkgs
@@ -109,8 +109,8 @@
name: "{{ yum_postgresql_pkgs_fedora }}" name: "{{ yum_postgresql_pkgs_fedora }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- install_postgresql_pkgs|bool - install_postgresql_pkgs|bool
tags: tags:
- apt-postgresql-server-pkgs - apt-postgresql-server-pkgs
@@ -121,8 +121,8 @@
name: "{{ yum_compiler_pkgs_centos }}" name: "{{ yum_compiler_pkgs_centos }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- install_compiler_pkgs|bool - install_compiler_pkgs|bool
tags: tags:
- yum-compiler-pkgs - yum-compiler-pkgs
@@ -132,8 +132,8 @@
name: "{{ yum_compiler_pkgs_fedora }}" name: "{{ yum_compiler_pkgs_fedora }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- install_compiler_pkgs|bool - install_compiler_pkgs|bool
tags: tags:
- yum-compiler-pkgs - yum-compiler-pkgs
@@ -143,8 +143,8 @@
name: "{{ yum_webserver_pkgs_centos }}" name: "{{ yum_webserver_pkgs_centos }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- install_webserver_pkgs|bool - install_webserver_pkgs|bool
tags: tags:
- yum-webserver-pkgs - yum-webserver-pkgs
@@ -154,8 +154,8 @@
name: "{{ yum_webserver_pkgs_fedora }}" name: "{{ yum_webserver_pkgs_fedora }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- install_webserver_pkgs|bool - install_webserver_pkgs|bool
tags: tags:
- yum-webserver-pkgs - yum-webserver-pkgs

10
roles/common/templates/etc/sudoers.d/50-user.j2
View File

@@ -41,7 +41,7 @@ back {{ item }}
{% endfor -%} {% endfor -%}
{%- if ansible_virtualization_role == 'host' %} {%- if ansible_facts['virtualization_role'] == 'host' %}
{% for item in sudoers_file_user_back_disk_privileges | default([]) %} {% for item in sudoers_file_user_back_disk_privileges | default([]) %}
back {{ item }} back {{ item }}
@@ -49,7 +49,7 @@ back {{ item }}
{% endif -%} {% endif -%}
{%- if groups['webadmin']|string is search(inventory_hostname) %} {%- if inventory_hostname in (groups["webadmin"] | default([])) %}
{% for item in sudoers_file_user_webadmin_disk_privileges | default([]) %} {% for item in sudoers_file_user_webadmin_disk_privileges | default([]) %}
webadmin {{ item }} webadmin {{ item }}
@@ -57,7 +57,7 @@ webadmin {{ item }}
{% endif -%} {% endif -%}
{%- if groups['postgresql_server']|string is search(inventory_hostname) %} {%- if inventory_hostname in (groups["postgresql_server"] | default([])) %}
{% for item in sudoers_file_user_back_postgres_privileges | default([]) %} {% for item in sudoers_file_user_back_postgres_privileges | default([]) %}
back {{ item }} back {{ item }}
@@ -66,7 +66,7 @@ back {{ item }}
{# dns server #} {# dns server #}
{%- if groups['dns_server']|string is search(inventory_hostname) %} {%- if inventory_hostname in (groups["dns_server"] | default([])) %}
{% for item in sudoers_file_dns_server_privileges | default([]) %} {% for item in sudoers_file_dns_server_privileges | default([]) %}
{{ item.name }} {{ item.entry }} {{ item.name }} {{ item.entry }}
@@ -75,7 +75,7 @@ back {{ item }}
{# postfixadmin rules #} {# postfixadmin rules #}
{%- if groups['mail_server']|string is search(inventory_hostname) %} {%- if inventory_hostname in (groups["mail_server"] | default([])) %}
{% for item in sudoers_file_postfixadmin_privileges | default([]) %} {% for item in sudoers_file_postfixadmin_privileges | default([]) %}
{{ item.name }} {{ item.entry }} {{ item.name }} {{ item.entry }}

98
roles/modify-ipt-server/tasks/ipt-server.yml
View File

@@ -172,8 +172,8 @@
when: when:
- main_ipv4_exists.stat.exists - main_ipv4_exists.stat.exists
- drop_mndp_ipv4_present is changed - drop_mndp_ipv4_present is changed
notify: # notify:
- Restart IPv4 Firewall # - Restart IPv4 Firewall
- name: Check if String 'drop_mndp=..' is present - name: Check if String 'drop_mndp=..' is present
@@ -246,8 +246,69 @@
when: when:
- main_ipv6_exists.stat.exists - main_ipv6_exists.stat.exists
- drop_mndp_ipv6_present is changed - drop_mndp_ipv6_present is changed
notify: # notify:
- Restart IPv6 Firewall # - Restart IPv6 Firewall
# ---
# Fix section Limit Connections - add limit_new_tcp_connections_per_seconds_ports
# ---
- name: Check if String 'limit_new_tcp_connections_per_seconds_ports=..' is present
shell: grep -q -E "^limit_new_tcp_connections_per_seconds_ports=" /etc/ipt-firewall/main_ipv4.conf
register: drop_limit_new_tcp_connections_per_seconds_ports_present
when: main_ipv4_exists.stat.exists
failed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 1"
changed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (limit_new_tcp_connections_per_seconds_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*limit_new_tcp_connections_per_seconds_per_source_IP'
block: |
# - limit_new_tcp_connections_per_seconds_ports
# -
# - comma separated list of ports
# -
# - Example:
# - limit_new_tcp_connections_per_seconds_ports="80,443"
# - limit_new_tcp_connections_per_seconds_ports="80,110,143,443,465,995"
#
limit_new_tcp_connections_per_seconds_ports=""
marker: "# Marker set by modify-ipt-server.yml (limit_new_tcp_connections_per_seconds_ports)"
when:
- main_ipv4_exists.stat.exists
- drop_limit_new_tcp_connections_per_seconds_ports_present is changed
# notify:
# - Restart IPv4 Firewall
- name: Check if String 'limit_new_tcp_connections_per_seconds_ports=..' is present
shell: grep -q -E "^limit_new_tcp_connections_per_seconds_ports=" /etc/ipt-firewall/main_ipv6.conf
register: drop_limit_new_tcp_connections_per_seconds_ports_present
when: main_ipv6_exists.stat.exists
failed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 1"
changed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (limit_new_tcp_connections_per_seconds_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*limit_new_tcp_connections_per_seconds_per_source_IP'
block: |
# - limit_new_tcp_connections_per_seconds_ports
# -
# - comma separated list of ports
# -
# - Example:
# - limit_new_tcp_connections_per_seconds_ports="80,443"
# - limit_new_tcp_connections_per_seconds_ports="80,110,143,443,465,995"
#
limit_new_tcp_connections_per_seconds_ports=""
marker: "# Marker set by modify-ipt-server.yml (limit_new_tcp_connections_per_seconds_ports)"
when:
- main_ipv6_exists.stat.exists
- drop_limit_new_tcp_connections_per_seconds_ports_present is changed
# notify:
# - Restart IPv6 Firewall
# === # ===
@@ -318,8 +379,8 @@
when: when:
- main_ipv4_exists.stat.exists - main_ipv4_exists.stat.exists
- per_ip_connection_limit_settings_ipv4_present is changed - per_ip_connection_limit_settings_ipv4_present is changed
notify: # notify:
- Restart IPv4 Firewall # - Restart IPv4 Firewall
- name: Check if String 'per_IP_connection_limit=..' is present - name: Check if String 'per_IP_connection_limit=..' is present
@@ -337,8 +398,8 @@
when: when:
- main_ipv6_exists.stat.exists - main_ipv6_exists.stat.exists
- per_ip_connection_limit_settings_ipv6_present is changed - per_ip_connection_limit_settings_ipv6_present is changed
notify: # notify:
- Restart IPv6 Firewall # - Restart IPv6 Firewall
@@ -363,7 +424,7 @@
- load_modules_ipv6.conf - load_modules_ipv6.conf
- logging_ipv4.conf - logging_ipv4.conf
- logging_ipv6.conf - logging_ipv6.conf
- post_decalrations.conf - post_declarations.conf
register: diff_script_output register: diff_script_output
- name: Ensure configuration files are latest - name: Ensure configuration files are latest
@@ -375,13 +436,13 @@
- load_modules_ipv6.conf - load_modules_ipv6.conf
- logging_ipv4.conf - logging_ipv4.conf
- logging_ipv6.conf - logging_ipv6.conf
- post_decalrations.conf - post_declarations.conf
when: when:
- git_firewall_repository is defined and git_firewall_repository|length > 0 - git_firewall_repository is defined and git_firewall_repository|length > 0
- diff_script_output.changed - diff_script_output.changed
notify: # notify:
- Restart IPv4 Firewall # - Restart IPv4 Firewall
- Restart IPv6 Firewall # - Restart IPv6 Firewall
@@ -412,9 +473,9 @@
when: when:
- git_firewall_repository is defined and git_firewall_repository|length > 0 - git_firewall_repository is defined and git_firewall_repository|length > 0
- diff_script_output.changed - diff_script_output.changed
notify: # notify:
- Restart IPv4 Firewall # - Restart IPv4 Firewall
- Restart IPv6 Firewall # - Restart IPv6 Firewall
@@ -432,3 +493,8 @@
state: absent state: absent
path: /etc/ipt-firewall/ports.conf path: /etc/ipt-firewall/ports.conf
- name: Delete file '/etc/ipt-firewall/ports.conf' ..
file:
state: absent
path: /etc/ipt-firewall/post_decalrations.conf