ansible/vdk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Tim Dittler
2020-01-13 14:51:16 +01:00
commit 7c454c1ed4
127 changed files with 7674 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
roles/common/files/etc/nsswitch.conf Executable file
View File

@ -0,0 +1,20 @@
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd nis
group: compat systemd nis
shadow: compat nis
gshadow: files
hosts: files nis mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

4
roles/common/files/etc/systemd/system/rpcbind.socket.d/override.conf Executable file
View File

@ -0,0 +1,4 @@
[Unit]
DefaultDependencies=no
Wants=rpcbind.target
Before=rpcbind.target

3
roles/common/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf Executable file
View File

@ -0,0 +1,3 @@
[Service]
IPAddressAllow=192.168.0.0/16

26
roles/common/handlers/main.yml Executable file
View File

@ -0,0 +1,26 @@
---
- name: Renew nis databases
shell: make -C /var/yp
when:
- "groups['nis_server']|string is search(inventory_hostname)"
- name: Reload nfs
service:
name: nfs-kernel-server
state: reloaded
enabled: yes
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
- name: Restart systemd-logind.service
service:
name: systemd-logind
daemon_reload: yes
state: restarted
- name: Restart rpcbind
service:
name: rpcbind
daemon_reload: yes
state: restarted

9
roles/common/tasks/main.yml Executable file
View File

@ -0,0 +1,9 @@
---
- import_tasks: nfs.yml
tags:
- nfs
- import_tasks: nis-install-client.yml
# when: "groups['nis_client']|string is search(inventory_hostname)"
tags:
- nis-install

26
roles/common/tasks/nfs.yml Executable file
View File

@ -0,0 +1,26 @@
---
- name: (nfs.yml) Ensure NFS utilities (clients) are installed.
apt:
pkg: nfs-common
state: present
when:
- ansible_os_family == "Debian"
tags:
- nfs-client
- name: (nfs.yml) NFS Mount exports from nfs server
mount:
path: "{{ item.path }}"
src: "{{ item.src }}"
fstype: nfs
opts: "{{ item.mount_opts }}"
dump: "{{ item.dump | default(omit) }}"
passno: "{{ item.passno | default(omit) }}"
state: mounted
loop: "{{ nfs_exports }}"
loop_control:
label: '{{ item.src }}'
tags:
- nfs-client

310
roles/common/tasks/nis-install-client.yml Executable file
View File

@ -0,0 +1,310 @@
---
# ---
# Install nis
# ---
- name: (nis-install-client.yml) Set (nis) default domain (/etc/defaultdomain)
template:
dest: /etc/defaultdomain
src: etc/defaultdomain.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Create preconfigured /etc/yp.conf on nis clients
template:
dest: /etc/yp.conf
src: etc/yp.conf.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Install nis common packages
package:
name: "{{ item }}"
state: present
with_items: "{{ nis_common_packages }}"
tags:
- nis-install
- nis-install-client
# ---
# /etc/default/nis
# ---
- name: (nis-install-client.yml) Check if file '/etc/default/nis.ORIG' exists
stat:
path: /etc/default/nis.ORIG
register: default_nis_exists
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Backup existing file /etc/default/nis
command: cp -a /etc/default/nis /etc/default/nis.ORIG
when:
- default_nis_exists.stat.exists == False
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'NISSERVER' (client)
replace:
path: /etc/default/nis
regexp: '^NISSERVER=.*'
replace: 'NISSERVER=false'
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Adjust file /etc/default/nis - set 'NISCLIENT' (client)
replace:
path: /etc/default/nis
regexp: '^NISCLIENT=.*'
replace: 'NISCLIENT=true'
tags:
- nis-install
- nis-install-client
# ---
# /etc/{passwd,group,shadow}
# ---
- name: (nis-install-client.yml) Add '+::::::' to file /etc/passwd
lineinfile:
path: /etc/passwd
line: '+::::::'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
when: "ansible_distribution_major_version|int < 18"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Add '+:::' to file /etc/group
lineinfile:
path: /etc/group
line: '+:::'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
when: "ansible_distribution_major_version|int < 18"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Add '+::::::::' to file /etc/shadow
lineinfile:
path: /etc/shadow
line: '+::::::::'
insertafter: EOF
state: present
owner: root
group: shadow
mode: '0640'
when: "ansible_distribution_major_version|int < 18"
tags:
- nis-install
- nis-install-client
# ---
# /etc/hosts
# ---
- name: (nis-install-client.yml) Check if file '/etc/hosts.ORIG' exists
stat:
path: /etc/hosts.ORIG
register: etc_hosts_orig_exists
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Backup existing file /etc/hosts
command: cp -a /etc/hosts /etc/hosts.ORIG
when:
- etc_hosts_orig_exists.stat.exists == False
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Add nis-server to file /etc/hosts
lineinfile:
path: /etc/hosts
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[1] }}'
insertafter: EOF
state: present
owner: root
group: root
mode: '0644'
tags:
- nis-install
- nis-install-client
# ---
# /etc/nsswitch.conf
# ---
#- name: (nis.yml) Check if file '/etc/nsswitch.conf.ORIG' exists
# stat:
# path: /etc/nsswitch.conf.ORIG
# register: nsswitch_conf_orig_exists
# tags:
# - nis-install
# - nis-install-client
#
#- name: (nis.yml) Backup existing file /etc/nsswitch.conf
# command: cp -a /etc/nsswitch.conf /etc/nsswitch.conf.ORIG
# when:
# - nsswitch_conf_orig_exists.stat.exists == False
# tags:
# - nis-install
# - nis-install-client
#
#- name: (nis-install-client.yml) Adjust file /etc/nsswitch.conf (set hosts)
# replace:
# path: /etc/nsswitch.conf
# regexp: '(hosts:\s+files)\s+([^nis].*)'
# replace: '\1 nis \2'
# tags:
# - nis-install
# - nis-install-client
#
#- name: (nis-install-client.yml) Adjust file /etc/nsswitch.conf (set passwd/group/shadow)
# replace:
# path: /etc/nsswitch.conf
# regexp: '^({{ item }}:\s+.*(?!nis).*)'
# replace: '\1 nis'
# with_items:
# - passwd
# - group
# - shadow
# tags:
# - nis-install
# - nis-install-client
- name: Copy /etc/nsswitch.conf
copy:
src: etc/nsswitch.conf
dest: /etc/nsswitch.conf
owner: root
group: root
mode: 0644
# ---
# /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
# ---
# - !! Using NIS client in Ubuntu 18.04 crashes both Gnome and Unity !!
# - ===================================================================
#
# - Unter NIS in Ubuntu 18.04 stütrzt Gnome und Unity ab
# -
# - Abhilfe schafft:
# -
#
# - Create a new directory in /etc/systemd/system/ named exactly after the
# - service you want to extend including a '.d', here this would be:
# - systemd-logind.service.d
# -
# - mkdir /etc/systemd/system/systemd-logind.service.d
#
# - Create a new file choose_an_appropriate_name.conf (e.g. nis_allow_network.conf)
# - inside the newly created directory with the following content, which specifies
# - the IP or IP range you want to be allowed:
# -
# - cat <<EOF > /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
# - [Service]
# - IPAddressAllow=192.168.0.0/16
# - EOF
# -
# - systemctl daemon-reload
# - systemctl restart systemd-logind.service
- name: (nis-install-client.yml) Ensure directory /etc/systemd/system/systemd-logind.service.d exists
file:
path: /etc/systemd/system/systemd-logind.service.d
owner: root
group: root
mode: '0755'
state: directory
when: "ansible_distribution_major_version|int >= 18"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Ensure file /files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf exists
copy:
src: "{{ role_path + '/files/etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf' }}"
dest: /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
owner: root
group: root
mode: '0755'
when: "ansible_distribution_major_version|int >= 18"
# XXX: killt meine Xsession (Tim)
# notify:
# - Restart systemd-logind.service
tags:
- nis-install
- nis-install-client
# - Seit Ubuntu 16.04 startet nis vor dem portmapper (rpcbind). Das Starten
# - schlägt deshalb fehl und nis steht nicht zur Verfügung.
# -
# - Abhilfe:
# -
# - Run "systemctl edit rpcbind.socket" and add the following:
# -
# - [Unit]
# - DefaultDependencies=no
# - Wants=rpcbind.target
# - Before=rpcbind.target
# -
# - You can see your changes:
# - cat /etc/systemd/system/rpcbind.socket.d/override.conf
- name: (nis-install-client.yml) Ensure directory /etc/systemd/system/rpcbind.socket.d exists
file:
path: /etc/systemd/system/rpcbind.socket.d
owner: root
group: root
mode: '0755'
state: directory
when: "ansible_distribution_major_version|int >= 16"
tags:
- nis-install
- nis-install-client
- name: (nis-install-client.yml) Ensure file /files/etc/systemd/system/rpcbind.socket.d/override.conf exists
copy:
src: "{{ role_path + '/files/etc/systemd/system/rpcbind.socket.d/override.conf' }}"
dest: /etc/systemd/system/rpcbind.socket.d/override.conf
owner: root
group: root
mode: '0755'
when: "ansible_distribution_major_version|int >= 16"
notify:
- Restart rpcbind
tags:
- nis-install
- nis-install-client
# TODO:
# /etc/systemd/system/systemd-logind.service.d/nis_allow_network.conf
# /etc/systemd/system/rpcbind.socket.d/override.conf

1
roles/common/templates/etc/defaultdomain.j2 Executable file
View File

@ -0,0 +1 @@
{{ nis_domain }}

31
roles/common/templates/etc/exports.j2 Executable file
View File

@ -0,0 +1,31 @@
# {{ ansible_managed }}
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
{% set count = namespace(nfs_exports=100) %}
{% for export in nfs_exports %}
{% set export_str= namespace(nfs_exports = export.src.split(":")[1]) %}
{% set count.nfs_exports = count.nfs_exports + 10 %}
{% for network in export.export_networks %}
{% if export.fs_encrypted is defined and export.fs_encrypted is sameas true %}
{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %}
#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }})
{% else %}
{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~")" %}
#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }})
{% endif %}
{% endfor %}
{{ export_str.nfs_exports }}
{% endfor %}

34
roles/common/templates/etc/sudoers.d/50-user.j2 Executable file
View File

@ -0,0 +1,34 @@
# {{ ansible_managed }}
{% for item in sudoers_file_defaults | default([]) %}
Defaults {{ item }}
{% endfor %}
# Host alias specification
{% for item in sudoers_file_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_file_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_file_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_file_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{# rules for nis users #}
{% for item in nis_user | default([]) %}
{{ item.name }} ALL=(root)NOPASSWD: MOUNT
{% endfor %}
# Group privilege specification

56
roles/common/templates/etc/sudoers.j2 Executable file
View File

@ -0,0 +1,56 @@
# {{ ansible_managed }}
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
{% for item in sudoers_defaults %}
{% if item != '' %}
Defaults {{ item }}
{% endif %}
{% endfor %}
# Host alias specification
{% for item in sudoers_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{% for item in sudoers_user_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Group privilege specification
{% for item in sudoers_group_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

24
roles/common/templates/etc/yp.conf.j2 Executable file
View File

@ -0,0 +1,24 @@
# {{ ansible_managed }}
# /etc/yp.conf - ypbind configuration file
# Valid entries are
#
# domain NISDOMAIN server HOSTNAME
# Use server HOSTNAME for the domain NISDOMAIN.
#
# domain NISDOMAIN broadcast
# Use broadcast on the local net for domain NISDOMAIN
#
# domain NISDOMAIN slp
# Query local SLP server for ypserver supporting NISDOMAIN
#
# ypserver HOSTNAME
# Use server HOSTNAME for the local domain. The
# IP-address of server must be listed in /etc/hosts.
#
# broadcast
# If no server for the default domain is specified or
# none of them is rechable, try a broadcast call to
# find a server.
#
domain {{ nis_domain }} server {{ nis_server_address }}

779
roles/common/vars/main.yml Executable file
View File

@ -0,0 +1,779 @@
---
# ---
# NFS
# ---
nfs_server: 192.168.112.10
# Set 'fs_encrypted' to true if filesystem lives on an encrypted
# partition.
#
nfs_exports:
- src: 192.168.112.10:/data/home
path: /data/home
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.112.0/24
- 10.0.112.0/24
- 10.1.112.0/24
- 192.168.63.0/24
fs_encrypted: false
- src: 192.168.112.10:/data/shares
path: /data/shares
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.112.0/24
- 10.0.112.0/24
- 10.1.112.0/24
- 192.168.63.0/24
fs_encrypted: false
# ---
# Samba / NIS
# ---
samba_server: file-mbr.mbr-bln.netz
samba_shares:
- name: Arbeitsrechtliches
user:
- anne
- bianca
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: Ausschreibungen
user:
- anne
- bianca
- chris
- matthias.mueller
- sysadm
- name: BGN-Finanzen-Personal
user:
- anne
- bianca
- carolin
- christina.wendt
- chris
- sysadm
- ulf.balmer
- name: BVV-Projekt
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- praktikum3
- praktikum4
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Finanzen
user:
- anne
- bianca
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: Install
user:
- chris
- sysadm
- lokaladmin
- name: Kamera
user:
- anne
- axis
- bianca
- chris
- sysadm
- name: MBR
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- praktikum3
- praktikum4
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Mobilisierungsplattform
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- praktikum3
- praktikum4
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: RIAS
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- praktikum3
- praktikum4
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: RIAS-Finanzen-Personal
user:
- anne
- bianca
- benjamin
- birgit.erhardt
- christina.wendt
- chris
- sysadm
- name: SCAN
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- praktikum3
- praktikum4
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: VDK
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- praktikum3
- praktikum4
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
- name: Video
user:
- alexander.rasumny
- anna.mueller1
- anne
- benjamin
- bianca
- birgit.erhardt
- bjoern.renkewitz
- carolin
- christina.wendt
- chris
- daniel.poensgen
- doku2
- doku_4
- doku_7
- dorina.feldmann
- franziska
- johannes.radke
- judith.heinmueller
- kristina.holzapfel
- lavinia.schwedersky
- manja.kasten
- mathias
- matthias.mueller
- michael.sulies
- michael.trube
- pia.lamberty
- praktikum
- praktikum_rias
- praktikum2
- praktikum2_rias
- praktikum3
- praktikum4
- sabine.kritter
- samuel.signer
- scan
- simon
- sysadm
- ulf.balmer
nis_domain: mbr-bln.netz
#nis_domain: local.netz
nis_server_address: 192.168.112.10
nis_server_name: file-mbr.mbr-bln.netz
#nis_server_name: luna.local.netz
nis_common_packages:
- nis
- nscd
nis_deleted_user: []
nis_base_home: /data/home
nis_groups:
- name: mbr-buero
group_id: 1200
- name: mbr-finanzen
group_id: 1210
- name: mbr-personal
group_id: 1220
- name: mbr-kamera
group_id: 1250
- name: mbr-admins
group_id: 1260
- name: vdk
group_id: 1300
- name: rias
group_id: 1400
- name: rias-finanzen-personal
group_id: 1410
- name: bgn
group_id: 1500
- name: bgn-finanzen-personal
group_id: 1510
nis_user:
- name: chris
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
38643435653764393333613564393733666139656264343833333632373938323230393036303234
3633303562636465643930643961663165646237386664370a386362346162313037353163383365
61343263386239316164613935633062343165363863376462653165306464633136313839343962
3865353333373661390a643564386432643532396632323664383330646430613033643130626430
6139
- name: lokaladmin
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'd4r1usz'
- name: sysadm
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'KPk_Wf2F'
- name: alexander.rasumny
groups:
- mbr-buero
is_samba_user: true
password: 'twT9Rjbv9mjq'
- name: anna.mueller1
groups:
- mbr-buero
is_samba_user: true
password: '5xp5ll9ar13us!'
- name: anne
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'YA!LiLiC0MP5'
- name: axis
groups:
- mbr-buero
is_samba_user: true
password: '20_axis_16'
- name: benjamin
groups:
- mbr-buero
- vdk
- rias
- rias-finanzen-personal
is_samba_user: true
password: 'C2-0U#ch'
- name: bianca
groups:
- mbr-buero
- mbr-finanzen
- mbr-personal
- mbr-kamera
- mbr-admins
- vdk
- rias
- rias-finanzen-personal
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: '73_BiBole_29'
- name: birgit.erhardt
groups:
- mbr-buero
- mbr-finanzen
- vdk
is_samba_user: true
password: '20_purpel!rain_17'
- name: bjoern.renkewitz
groups:
- mbr-buero
is_samba_user: true
password: 'Tz9-Wq-51'
- name: carolin
groups:
- mbr-buero
- bgn-finanzen-personal
is_samba_user: true
password: '20_carol1n_14'
- name: christina.wendt
groups:
- mbr-buero
- mbr-finanzen
- vdk
- rias-finanzen-personal
- bgn-finanzen-personal
is_samba_user: true
password: '8!Varianten'
- name: daniel.poensgen
groups:
- mbr-buero
is_samba_user: true
password: 'rcMRCm7jcpbp'
- name: doku_4
groups:
- mbr-buero
is_samba_user: true
password: 'PwmNvPh9KM4T'
- name: doku_7
groups:
- mbr-buero
is_samba_user: true
password: 'TFhCW9J4Vn4F'
- name: dorina.feldmann
groups:
- mbr-buero
is_samba_user: true
password: '17?4XPQ_!abc'
- name: franziska
groups:
- mbr-buero
is_samba_user: true
password: 'f49mCjbj3Jh7'
- name: frederick.kannenberg
groups:
- mbr-buero
is_samba_user: true
password: 'riasFK2019!#'
- name: doku2
groups:
- mbr-buero
is_samba_user: true
password: '*M0ss4d*'
- name: johannes.radke
groups:
- mbr-buero
is_samba_user: true
password: 'Furzf4brik!'
- name: judith.heinmueller
groups:
- mbr-buero
is_samba_user: true
password: 't32_aHxV.'
- name: kristina.holzapfel
groups:
- mbr-buero
is_samba_user: true
password: 'c7PvX_39.'
- name: lavinia.schwedersky
groups:
- mbr-buero
is_samba_user: true
password: 'xJw.3R9vKf/N'
- name: manja.kasten
groups:
- mbr-buero
is_samba_user: true
password: 'Rasili_&n'
- name: mathias
groups:
- mbr-buero
is_samba_user: true
password: 'p3r*45p3r4*4d*45tr4m'
- name: matthias.mueller
groups:
- mbr-buero
- mbr-personal
is_samba_user: true
password: 'V1v@H@f3rdr1nk'
- name: michael.sulies
groups:
- mbr-buero
is_samba_user: true
password: 'Cryst4lp4l4c3'
- name: michael.trube
groups:
- mbr-buero
- mbr-kamera
is_samba_user: true
password: '*R13sl1ng*'
- name: pia.lamberty
groups:
- mbr-buero
is_samba_user: true
password: 'oasd31*as+Q%'
- name: praktikum
groups:
- mbr-buero
is_samba_user: true
password: '_F313r4b3nd*'
- name: praktikum_rias
groups:
- mbr-buero
is_samba_user: true
password: '7z7F%d3cv_dfjz'
- name: praktikum2
groups:
- mbr-buero
is_samba_user: true
password: '20praktikum213'
- name: praktikum2_rias
groups:
- mbr-buero
is_samba_user: true
password: 'ctnrk3CczcJ9'
- name: praktikum3
groups:
- mbr-buero
is_samba_user: true
password: 'Q56V.6kf/JLQ'
- name: praktikum4
groups:
- mbr-buero
is_samba_user: true
password: '6jA,nmD,fdK!'
- name: sabine.kritter
groups:
- mbr-buero
is_samba_user: true
password: '#17_abc_?!'
- name: samuel.signer
groups:
- mbr-buero
is_samba_user: true
password: 'S4mmyC0mput3r!'
- name: scan
groups:
- mbr-buero
is_samba_user: true
password: '20scan13'
- name: simon
groups:
- mbr-buero
is_samba_user: true
password: 'S4u3rkr4ut!'
- name: ulf.balmer
groups:
- mbr-buero
- bgn
- bgn-finanzen-personal
is_samba_user: true
password: 'ALL3_e6ene#'
# ---
# vars used by roles/ansible_dependencies
# ---
apt_ansible_dependencies:
- python
- python-apt
- python3
- python3-apt
- lsb-release
- apt-transport-https
- dbus
- sudo
- vim
- net-tools
- vlan
# ---
# vars used by roles/ansible_user
# ---
ssh_keys_admin:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
ansible_remote_user:
- name: lokaladmin
password: $6$KLQUDbiw$qvsGUndXr2G3DxhML6maD/nsJtXfElSLQ7ufkMuJu2vACbYX7kqNXdiU17oX6CyN5L1xARZ.TiES/w7zfh0Cu/
shell: /bin/bash
# ---
# vars used by roles/common/tasks/basic.yml
# ---
time_zone: Europe/Berlin
locales:
- en_US.UTF-8
- de_DE.UTF-8
set_default_limit_nofile: false
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
sudo_users:
- lokaladmin
# /etc/sudoers
#
sudoers_defaults:
- env_reset
- mail_badpass
- 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
sudoers_host_aliases: []
sudoers_user_aliases: []
sudoers_cmnd_aliases: []
sudoers_runas_aliases: []
sudoers_user_privileges:
- name: root
entry: 'ALL=(ALL:ALL) ALL'
sudoers_group_privileges: []
# /etc/sudoers.d/50-user
#
sudoers_file_defaults: []
sudoers_file_host_aliases: []
sudoers_file_user_aliases: []
sudoers_file_cmnd_aliases:
- name: MOUNT
entry: '/bin/mount,/bin/umount'
sudoers_file_runas_aliases: []

1
roles/freedomofpress.signal-desktop/.gitignore vendored Executable file
View File

@ -0,0 +1 @@
.molecule/

11
roles/freedomofpress.signal-desktop/.yamllint Executable file
View File

@ -0,0 +1,11 @@
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
truthy: disable

44
roles/freedomofpress.signal-desktop/README.md Executable file
View File

@ -0,0 +1,44 @@
Signal Desktop Ansible role
===========================
Installs [Signal Desktop] on Linux hosts via `apt`.
Requirements
------------
Debian or Ubuntu.
Role Variables
--------------
```yaml
# GPG full fingerprint of apt repo key, retrieved from:
# https://updates.signal.org/desktop/apt/keys.asc
signal_desktop_gpg_fingerprint: "DBA36B5181D0C816F630E889D980A17457F6FB06"
# Prerequisites for configuring HTTPS apt repo.
signal_desktop_apt_dependencies:
- apt-transport-https
- gpg
# Pinning the Xenial repo, works fine on e.g. Debian Stretch.
# The Signal team does not maintain specific versions for other dists,
# so intentionally not using `{{ ansible_distribution }}`
signal_desktop_apt_repo: "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main"
```
Example Playbook
----------------
```yaml
- hosts: workstations
roles:
- role: freedomofpress.signal-desktop
```
License
-------
MIT

13
roles/freedomofpress.signal-desktop/defaults/main.yml Executable file
View File

@ -0,0 +1,13 @@
---
# GPG full fingerprint of apt repo key, retrieved from:
# https://updates.signal.org/desktop/apt/keys.asc
signal_desktop_gpg_fingerprint: "DBA36B5181D0C816F630E889D980A17457F6FB06"
# Prerequisites for configuring HTTPS apt repo.
signal_desktop_apt_dependencies:
- apt-transport-https
# Pinning the Xenial repo, works fine on e.g. Debian Stretch.
# The Signal team does not maintain specific versions for other dists,
# so intentionally not using `{{ ansible_distribution }}`
signal_desktop_apt_repo: "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main"

51
roles/freedomofpress.signal-desktop/files/signal-apt-key.asc Executable file
View File

@ -0,0 +1,51 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFjlSicBEACgho//0EzxuvuCn01LwFqGAgwPKcSSl4L+AWws5/YbsZZvmTBk
ggIiVOCIMh+d3cmGu5W3ydaeUbWbFGNsxO44EB5YBZcuLa5EzRKbNPVaOXKXmhp+
w0mEbkoKbF+3mz3lifwBnzcBpukyJDgcJSq8cXfq5JsDPR1KAL6ph/kwKeiDNg+8
oFgqfboukK56yPTYc9iM8hkTFdx9L6JCJaZGaDMfihoQm2caKAmqc+TlpgtKbBL0
t5hrzDpCPpJvCddu1NRysTcqfACSSocvoqY0dlbNPMN8j04LH8hcKGFipuLdI8qx
BFqlMIQJCVJhr05E8rEsI4nYEyG44YoPopTFLuQa+wewZsQkLwcfYeCecU1KxlpE
OI3xRtALJjA/C/AzUXVXsWn7Xpcble8i3CKkm5LgX5zvR6OxTbmBUmpNgKQiyxD6
TrP3uADm+0P6e8sJQtA7DlxZLA6HuSi+SQ2WNcuyLL3Q/lJE0qBRWVJ08nI9vvxR
vAs20LKxq+D1NDhZ2jfG2+5agY661fkx66CZNFdz5OgxJih1UXlwiHpn6qhP7Rub
OJ54CFb+EwyzDVVKj3EyIZ1FeN/0I8a0WZV6+Y/p08DsDLcKgqcDtK01ydWYP0tA
o1S2Z7Jsgya50W7ZuP/VkobDqhOmE0HDPggX3zEpXrZKuMnRAcz6Bgi6lwARAQAB
tDFPcGVuIFdoaXNwZXIgU3lzdGVtcyA8c3VwcG9ydEB3aGlzcGVyc3lzdGVtcy5v
cmc+iQI3BBMBCgAhBQJY5UonAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ
ENmAoXRX9vsGU00P/RBPPc5qx1EljTW3nnTtgugORrJhYl1CxNvrohVovAF4oP1b
UIGT5/3FoDsxJHSEIvorPFSaG2+3CBhMB1k950Ig2c2n+PTnNk6D0YIUbbEI0KTX
nLbCskdpy/+ICiaLfJZMe11wcQpkoNbG587JdQwnGegbQoo580CTSsYMdnvGzC8A
l1F7r37RVZToJMGgfMKK3oz8xIDXqOe5oiiKcV36tZ5V/PCDAu0hXYBRchtqHlHP
cKWeRTb1aDkbQ7SPlJ2bSvUjFdB6KahlSGJl3nIU5zAH2LA/tUQY16Z1QaJmfkEb
RY61B/LPv1TaA1SIUW32ej0NmeF09Ze4Cggdkacxv6E+CaBVbz5rLh6m91acBibm
pJdGWdZyQU90wYFRbSsqdDNB+0DvJy6AUg4e5f79JYDWT/Szdr0TLKmdPXOxa1Mb
i34UebYI7WF7q22e7AphpO/JbHcD+N6yYtN6FkUAmJskGkkgYzsM/G8OEbBRS7A+
eg3+NdQRFhKa7D7nIuufXDOTMUUkUqNYLC+qvZVPJrWnK9ZsGKsP0EUZTfEGkmEN
UzmASxyMMe6JHmm5Alk4evJeQ31U5jy7ntZSWEV1pSGmSEJLRNJtycciFJpsEp/p
LkL0iFb30R9bHBp6cg7gjXbqZ9ZpEsxtZMBuqS70ZZyQdu2yGDQCBk7eLKCjuQIN
BFjlSicBEACsxCLVUE7UuxsEjNblTpSEysoTD6ojc2nWP/eCiII5g6SwA/tQKiQI
ZcGZsTZB9kTbCw4T3hVEmzPl6u2G6sY9Kh1NHKMR3jXvMC+FHODhOGyAOPERjHCJ
g20XF2/Gg462iW8e3lS7CQBzbplUCW/oMajj2Qkc61NLtxxzsssXjCKExub2HxCQ
AYtenuDtLU73G75BoghWJ19dIkodnEI0/fzccsgiP5xeVgmkWJPo9xKJtrBS5gcS
s7yaGY9YYo71RFzkpJpeAeLrJJqt+2KqH1u0EJUbs8YVGXKlnYeSNisg4OaRsldW
JmDDCD5WUdFq2LNdVisfwirgjmwYpLrzVMbmzPvdmxQ1NYzJsX4ARSL/wuKCvEub
gh1AR5oV7mUEA9I3KRH0TIDOnH4nGG3kqArzrV2E1WtnNzFII0IN9/48xY7Vkxs7
Oil+E+wCpzUv/tF4ALx5TAXoPd66ddEOxzDrtBpEzsouszt7uUyncyT3X6ip5l9f
mI4uxbsjwkLVfd1WpD1uvp869oyx6wtHluswr1VY/cbnHO8J6J35JVMhYQdMOaTZ
rX6npe/YOHJ4a7YzLMfdrxyzK1wq5xu/9LgclMTdIhAKvnaXBg41jsid5n0GdIeW
ek8WAVNyvuvoTwm3GG6+/pkTwu0J79lAMD1mhJsuSca6SFNgYnd+PQARAQABiQIf
BBgBCgAJBQJY5UonAhsMAAoJENmAoXRX9vsGvRgQAJ4tWnK2TncCpu5nTCxYMXjW
LuvwORq8EBWczHS6SjLdwmSVKGKSYtl2n6nCkloVY6tONMoiCWmtcq7SJMJoyZw3
XIf82Z39tzn/conjQcP0aIOFzww1XG7YiaTAhsDZ62kchukI52jUYm2w8cTZMEZB
oIwIWBpmLlyaDhjIM5neY5RuL7IbIpS/fdk2lwfAwcNq6z/ri2E5RWl3AEINdLUO
gAiVMagNJaJ+ap7kMcwOLoI2GD84mmbtDWemdUZ3HnqLHv0mb1djsWL6LwjCuOgK
l2GDrWCh18mE+9mVB1Lo7jzYXNSHXQP6FlDE6FhGO1nNBs2IJzDvmewpnO+a/0pw
dCerATHWtrCKwMOHrbGLSiTKEjnNt/74gKjXxdFKQkpaEfMFCeiAOFP93tKjRRhP
5wf1JHBZ1r1+pgfZlS5F20XnM2+f/K1dWmgh+4Grx8pEHGQGLP+A22O7iWjg9pS+
LD3yikgyGGyQxgcN3sJBQ4yxakOUDZiljm3uNyklUMCiMjTvT/F02PalQMapvA5w
7Gwg5mSI8NDs3RtiG1rKl9Ytpdq7uHaStlHwGXBVfvayDDKnlpmndee2GBiU/hc2
ZsYHzEWKXME/ru6EZofUFxeVdev5+9ztYJBBZCGMug5Xp3Gxh/9JUWi6F1+9qAyz
N+O606NOXLwcmq5KZL0g
=zyVo
-----END PGP PUBLIC KEY BLOCK-----

2
roles/freedomofpress.signal-desktop/handlers/main.yml Executable file
View File

@ -0,0 +1,2 @@
---
# handlers file for signal-desktop

1
roles/freedomofpress.signal-desktop/meta/.galaxy_install_info Executable file
View File

@ -0,0 +1 @@
{install_date: 'Sun Jan 12 13:47:06 2020', version: master}

22
roles/freedomofpress.signal-desktop/meta/main.yml Executable file
View File

@ -0,0 +1,22 @@
---
galaxy_info:
author: Conor Schaefer (@conorsch)
description: Installs Signal Desktop on Linux hosts.
company: Freedom of the Press Foundation (@freedomofpress)
license: MIT
min_ansible_version: 2.4
platforms:
- name: Debian
versions:
- stretch
galaxy_tags:
- chat
- communications
- desktop
- encryption
- im
- secure
- signal
- workstation
dependencies: []

9
roles/freedomofpress.signal-desktop/molecule/default/Dockerfile.j2 Executable file
View File

@ -0,0 +1,9 @@
# Molecule managed
FROM {{ item.image }}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi

16
roles/freedomofpress.signal-desktop/molecule/default/INSTALL.rst Executable file
View File

@ -0,0 +1,16 @@
*******
Install
*******
Requirements
============
* Docker Engine
* docker-py
Install
=======
.. code-block:: bash
$ sudo pip install docker-py

47
roles/freedomofpress.signal-desktop/molecule/default/create.yml Executable file
View File

@ -0,0 +1,47 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: False
no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
vars:
molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
molecule_ephemeral_directory: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}"
molecule_scenario_directory: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}"
molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"
tasks:
- name: Create Dockerfiles from image names
template:
src: "{{ molecule_scenario_directory }}/Dockerfile.j2"
dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}"
with_items: "{{ molecule_yml.platforms }}"
register: platforms
- name: Discover local Docker images
docker_image_facts:
name: "molecule_local/{{ item.item.name }}"
with_items: "{{ platforms.results }}"
register: docker_images
- name: Build an Ansible compatible image
docker_image:
path: "{{ molecule_ephemeral_directory }}"
name: "molecule_local/{{ item.item.image }}"
dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}"
force: "{{ item.item.force | default(True) }}"
with_items: "{{ platforms.results }}"
when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0
- name: Create molecule instance(s)
docker_container:
name: "{{ item.name }}"
hostname: "{{ item.name }}"
image: "molecule_local/{{ item.image }}"
state: started
recreate: False
log_driver: syslog
command: "{{ item.command | default('sleep infinity') }}"
privileged: "{{ item.privileged | default(omit) }}"
volumes: "{{ item.volumes | default(omit) }}"
capabilities: "{{ item.capabilities | default(omit) }}"
with_items: "{{ molecule_yml.platforms }}"

16
roles/freedomofpress.signal-desktop/molecule/default/destroy.yml Executable file
View File

@ -0,0 +1,16 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: False
no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
vars:
molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"
tasks:
- name: Destroy molecule instance(s)
docker_container:
name: "{{ item.name }}"
state: absent
force_kill: "{{ item.force_kill | default(True) }}"
with_items: "{{ molecule_yml.platforms }}"

20
roles/freedomofpress.signal-desktop/molecule/default/molecule.yml Executable file
View File

@ -0,0 +1,20 @@
---
dependency:
name: galaxy
driver:
name: docker
lint:
name: yamllint
platforms:
- name: instance
image: debian:stretch
provisioner:
name: ansible
lint:
name: ansible-lint
scenario:
name: default
verifier:
name: testinfra
lint:
name: flake8

5
roles/freedomofpress.signal-desktop/molecule/default/playbook.yml Executable file
View File

@ -0,0 +1,5 @@
---
- name: Converge
hosts: all
roles:
- role: signal-desktop

5
roles/freedomofpress.signal-desktop/molecule/default/prepare.yml Executable file
View File

@ -0,0 +1,5 @@
---
- name: Prepare
hosts: all
gather_facts: False
tasks: []

15
roles/freedomofpress.signal-desktop/molecule/default/tests/test_default.py Executable file
View File

@ -0,0 +1,15 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
@pytest.mark.parametrize('pkg', [
'apt-transport-https',
'signal-desktop',
])
def test_packages_installed(host, pkg):
assert host.package(pkg).is_installed

27
roles/freedomofpress.signal-desktop/tasks/main.yml Executable file
View File

@ -0,0 +1,27 @@
---
# tasks file for signal-desktop
- name: Installs apt repo prerequisites.
become: yes
apt:
name: "{{ item }}"
state: present
with_items: "{{ signal_desktop_apt_dependencies }}"
- name: Install Signal apt repo GPG key.
become: yes
apt_key:
data: "{{ lookup('file', 'signal-apt-key.asc') }}"
state: present
keyring: /etc/apt/trusted.gpg.d/signal-desktop.gpg
- name: Add Signal apt repo.
become: yes
apt_repository:
repo: "{{ signal_desktop_apt_repo }}"
state: present
- name: Installs Signal desktop.
become: yes
apt:
name: signal-desktop
state: present

2
roles/freedomofpress.signal-desktop/vars/main.yml Executable file
View File

@ -0,0 +1,2 @@
---
# vars file for signal-desktop

10
roles/ontic.fonts/.gitignore vendored Executable file
View File

@ -0,0 +1,10 @@
# IDE
/.cache/
/.externalToolBuilders/
/.idea/
/.settings/
/.buildpath
/.project
# Vagrant
/.vagrant/

30
roles/ontic.fonts/.travis.yml Executable file
View File

@ -0,0 +1,30 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
services: 'docker'
env:
- distribution: 'centos'
version: '7'
- distribution: 'debian'
version: '9'
- distribution: 'ubuntu'
version: '16.04'
- distribution: 'ubuntu'
version: '18.04'
before_install:
- 'export container_id=$(date +%s)'
- 'export cleanup=false'
- 'wget -O ${PWD}/tests/docker.sh https://raw.githubusercontent.com/ontic/ansible-role-test/master/docker.sh'
- 'chmod +x ${PWD}/tests/docker.sh'
- '${PWD}/tests/docker.sh build'
script:
- '${PWD}/tests/docker.sh test'
- '${PWD}/tests/docker.sh verify'
notifications:
webhooks: 'https://galaxy.ansible.com/api/v1/notifications/'

5
roles/ontic.fonts/COPYING Executable file
View File

@ -0,0 +1,5 @@
Copyright (c) 2010-2018 Ontic. (http://www.ontic.com.au). All rights reserved.
Each Ontic source file included in this distribution is subject to the New BSD license
that is bundled with this package in the LICENSE file. To understand any restrictions on
the use and redistribution of this package please see the LICENSE file for precise details.

26
roles/ontic.fonts/LICENSE Executable file
View File

@ -0,0 +1,26 @@
Copyright (c) 2010-2018 Ontic. (http://www.ontic.com.au). All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of Ontic (http://www.ontic.com.au). nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

81
roles/ontic.fonts/README.md Executable file
View File

@ -0,0 +1,81 @@
# Ontic Fonts ![Status](https://img.shields.io/badge/project-maintained-brightgreen.svg)
| Branch | Build | Galaxy | Release |
| :----------------- | :------------------ | :------------------ | :------------------- |
| **master** | [![Build](https://img.shields.io/travis/ontic/ansible-role-fonts/master.svg)](https://travis-ci.org/ontic/ansible-role-fonts) | [![Galaxy](https://img.shields.io/badge/galaxy-ontic.fonts-blue.svg)](https://galaxy.ansible.com/ontic/fonts) | [![Release](https://img.shields.io/github/release/ontic/ansible-role-fonts.svg)](https://github.com/ontic/ansible-role-fonts/releases) |
## Introduction
This role installs fonts on RedHat/CentOS and Debian/Ubuntu Linux servers.
## Requirements
| Name | Version |
| :-------------------------------------------------------------------------------------------- | :------------ |
None | N/A |
## Installation
We strongly suggest installing this role using [Ansible Galaxy](https://galaxy.ansible.com) so that any dependencies
will get resolved and downloaded automatically. However, we've listed a few other alternatives.
### 1.1 Downloading
Download the project files as a `.zip` archive, extracting them into your `./roles/` directory.
### 1.2 Cloning
Clone the project it into your `./roles/` directory.
### 1.3 Ansible Galaxy
The easiest way to install this module is via the command line:
```
$ ansible-galaxy install ontic.fonts
```
If you have multiple roles to install, the ansible-galaxy CLI can be fed a `requirements.yml` file.
```yml
- src: ontic.fonts
```
```
$ ansible-galaxy install -r requirements.yml
```
Alternatively you could download the source by setting the repository in your `requirements.yml` file:
```yml
- src: git+https://github.com/ontic/ansible-role-fonts.git
version: master
name: ontic.fonts
```
### 2.1 Enabling
Enable the role in your playbook file.
```yml
- name: Example web server
hosts: web_servers
roles:
- { role: ontic.fonts }
```
## Documentation
Full documentation is available in the [docs](/docs) directory.
## Contributors
Below lists all individuals having contributed to the repository. If you would like to get involved, we encourage
you to do so by making a [pull](../../pulls) request or submitting an [issue](../../issues).
* [Adam Dyson](https://github.com/adamdyson)
## License
Licensed under the BSD License. See the [LICENSE](/LICENSE) file for details.

7
roles/ontic.fonts/defaults/main.yml Executable file
View File

@ -0,0 +1,7 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
fonts_shared:
fonts_user:

20
roles/ontic.fonts/docs/README.md Executable file
View File

@ -0,0 +1,20 @@
# Documentation
## Example
```
fonts_shared:
- type: 'truetype'
src: 'Fabulous.ttf'
dest: 'dafont/Fabulous.ttf'
fonts_user:
- name: 'johndoe'
type: 'opentype'
src: 'Aulyars.otf'
dest: 'dafont/Aulyars.otf'
```
## Role Variables
Available variables are listed below, along with default values (see [defaults/main.yml](/defaults/main.yml)):

8
roles/ontic.fonts/handlers/main.yml Executable file
View File

@ -0,0 +1,8 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
- name: 'rebuild fonts cache'
become: yes
shell: 'fc-cache -v -f'

1
roles/ontic.fonts/meta/.galaxy_install_info Executable file
View File

@ -0,0 +1 @@
{install_date: 'Fri Jan 10 18:39:38 2020', version: v2.4.0}

31
roles/ontic.fonts/meta/main.yml Executable file
View File

@ -0,0 +1,31 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
dependencies: []
galaxy_info:
author: 'Adam Dyson'
description: 'This role installs fonts on RedHat/CentOS and Debian/Ubuntu Linux servers.'
company: 'Ontic'
license: 'BSD-3-Clause'
min_ansible_version: '2.4'
platforms:
- name: 'Ubuntu'
versions:
- 'xenial'
- 'bionic'
- name: 'Debian'
versions:
- 'stretch'
- name: 'EL'
versions:
- '7'
galaxy_tags:
- 'ontic'
- 'system'
- 'typography'
- 'font'
- 'truetype'
- 'opentype'

52
roles/ontic.fonts/tasks/configure.yml Executable file
View File

@ -0,0 +1,52 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
- name: 'Fonts | Configure shared font directories.'
become: yes
file:
path: '/usr/local/share/fonts/{{ item.type }}/{{ item.dest | dirname }}'
state: 'directory'
group: 'root'
owner: 'root'
mode: '0755'
with_items: '{{ fonts_shared }}'
when: 'fonts_shared | default(None) != None'
- name: 'Fonts | Configure shared fonts.'
become: yes
copy:
src: '{{ item.src }}'
dest: '/usr/local/share/fonts/{{ item.type }}/{{ item.dest }}'
owner: 'root'
group: 'root'
mode: '0644'
register: 'fonts_shared_installed'
notify: 'rebuild fonts cache'
with_items: '{{ fonts_shared }}'
when: 'fonts_shared | default(None) != None'
- name: 'Fonts | Configure user font directories.'
become: yes
file:
path: '/home/{{ item.name }}/.fonts/{{ item.type }}/{{ item.dest | dirname }}'
state: 'directory'
owner: '{{ item.owner | default(item.name) }}'
group: '{{ item.group | default(omit) }}'
mode: '0755'
with_items: '{{ fonts_user }}'
when: 'fonts_user | default(None) != None'
- name: 'Fonts | Configure user fonts.'
become: yes
copy:
src: '{{ item.src }}'
dest: '/home/{{ item.name }}/.fonts/{{ item.type }}/{{ item.dest }}'
owner: '{{ item.owner | default(item.name) }}'
group: '{{ item.group | default(omit) }}'
mode: '{{ item.mode | default(omit) }}'
register: 'fonts_user_installed'
notify: 'rebuild fonts cache'
with_items: '{{ fonts_user }}'
when: 'fonts_user | default(None) != None'

28
roles/ontic.fonts/tasks/main.yml Executable file
View File

@ -0,0 +1,28 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
- name: 'Fonts | Include OS-specific variables.'
include_vars: '{{ item }}'
with_first_found:
- '{{ ansible_distribution }}.yml'
- '{{ ansible_os_family }}.yml'
tags:
- 'fonts'
- 'fonts-package'
- 'fonts-configure'
- 'package'
- 'configure'
- import_tasks: 'package.yml'
tags:
- 'fonts'
- 'fonts-package'
- 'package'
- import_tasks: 'configure.yml'
tags:
- 'fonts'
- 'fonts-configure'
- 'configure'

78
roles/ontic.fonts/tasks/package.yml Executable file
View File

@ -0,0 +1,78 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
- name: 'Fonts | Debian | Install HTTPS transport.'
become: yes
apt:
name: 'apt-transport-https'
state: 'latest'
when: 'ansible_os_family == "Debian"'
- name: 'Fonts | Debian | Update repository list.'
become: yes
apt_repository:
repo: '{{ item }}'
state: 'present'
update_cache: false
register: 'fonts_multiverse_installed'
notify: 'rebuild fonts cache'
with_items: '{{ fonts_repositories }}'
when: 'ansible_distribution == "Debian"'
- name: 'Fonts | Debian | Update APT cache.'
become: yes
apt:
update_cache: yes
when: 'ansible_os_family == "Debian" and fonts_multiverse_installed.changed'
- name: 'Fonts | Debian | Install Microsoft Core Fonts prerequisites.'
become: yes
apt:
name: '{{ item }}'
state: 'present'
with_items:
- 'libfreetype6'
- 'libfreetype6-dev'
- 'fontconfig'
when: 'ansible_os_family == "Debian"'
- name: 'Fonts | Debian | Accept Microsoft Core Fonts EULA.'
become: yes
debconf:
name: 'ttf-mscorefonts-installer'
question: 'msttcorefonts/accepted-mscorefonts-eula'
value: 'true'
vtype: 'select'
when: 'ansible_os_family == "Debian"'
- name: 'Fonts | Debian | Install Microsoft Core Fonts.'
become: yes
apt:
name: 'ttf-mscorefonts-installer'
state: 'present'
register: 'fonts_microsoft_installed'
notify: 'rebuild fonts cache'
when: 'ansible_os_family == "Debian"'
- name: 'Fonts | RedHat | Install Microsoft Core Fonts prerequisites.'
become: yes
yum:
name: '{{ item }}'
state: 'present'
with_items:
- 'curl'
- 'cabextract'
- 'xorg-x11-font-utils'
- 'fontconfig'
when: 'ansible_os_family == "RedHat"'
- name: 'Fonts | RedHat | Install Microsoft Core Fonts.'
become: yes
yum:
name: 'https://raw.githubusercontent.com/therevoman/mscorefonts2-code/master/RPMS/noarch/msttcore-fonts-installer-2.6-1.noarch.rpm'
state: 'present'
validate_certs: no
notify: 'rebuild fonts cache'
when: 'ansible_os_family == "RedHat"'

BIN
roles/ontic.fonts/tests/fonts/Aulyars.otf Executable file
View File

Binary file not shown.

BIN
roles/ontic.fonts/tests/fonts/Fabulous.ttf Executable file
View File

Binary file not shown.

6
roles/ontic.fonts/tests/test-verify.sh Executable file
View File

@ -0,0 +1,6 @@
#!/bin/bash
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
# Verify the installed fonts.
docker exec --tty ${container_id} env TERM=xterm fc-list | grep true | sed -e "s|^.*/||" -e "s/:style=\(\<.*\>\).*$/ - \1/" -e "s/,.*$//" | sort

18
roles/ontic.fonts/tests/test.yml Executable file
View File

@ -0,0 +1,18 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
- hosts: 'localhost'
vars:
fonts_shared:
- type: 'truetype'
src: '{{ role_path }}/tests/fonts/Fabulous.ttf'
dest: 'dafont/Fabulous.ttf'
fonts_user:
- name: 'root'
type: 'opentype'
src: '{{ role_path }}/tests/fonts/Aulyars.otf'
dest: 'dafont/Aulyars.otf'
roles:
- { role: 'role_under_test' }

8
roles/ontic.fonts/vars/Debian.yml Executable file
View File

@ -0,0 +1,8 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
fonts_repositories:
- 'deb http://ftp.debian.org/debian/ stable main non-free contrib'
- 'deb-src http://ftp.debian.org/debian/ stable main non-free contrib'

5
roles/ontic.fonts/vars/RedHat.yml Executable file
View File

@ -0,0 +1,5 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---

10
roles/ontic.fonts/vars/Ubuntu.yml Executable file
View File

@ -0,0 +1,10 @@
# Copyright (c) Ontic. (http://www.ontic.com.au). All rights reserved.
# See the COPYING file bundled with this package for license details.
---
fonts_repositories:
- 'deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }} multiverse'
- 'deb-src http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }} multiverse'
- 'deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }}-updates multiverse'
- 'deb-src http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }}-updates multiverse'

2
roles/weareinteractive.apt/.ansible-lint Executable file
View File

@ -0,0 +1,2 @@
exclude_paths:
- ./meta/readme.yml

4
roles/weareinteractive.apt/.clog.toml Executable file
View File

@ -0,0 +1,4 @@
[clog]
changelog = "CHANGELOG.md"
repository = "https://github.com/weareinteractive/ansible-apt"
from-latest-tag = true

19
roles/weareinteractive.apt/.editorconfig Executable file
View File

@ -0,0 +1,19 @@
# EditorConfig helps developers define and maintain consistent
# coding styles between different editors and IDEs
# editorconfig.org
root = true
[*]
# Change these settings to your own preference
indent_size = 2
indent_style = space
# We recommend you to keep these unchanged
charset = utf-8
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true
[Makefile]
indent_style = tab

8
roles/weareinteractive.apt/.gitignore vendored Executable file
View File

@ -0,0 +1,8 @@
*.log
*.retry
.DS_Store
.vagrant
.vscode/*
!.vscode/settings.json
!.vscode/extensions.json
.idea

60
roles/weareinteractive.apt/.travis.yml Executable file
View File

@ -0,0 +1,60 @@
---
sudo: required
language: python
services:
- docker
env:
global:
- role: weareinteractive.apt
matrix:
- distribution: Ubuntu
distribution_version: "18.04"
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distribution: Ubuntu
distribution_version: "16.04"
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distribution: Ubuntu
distribution_version: "14.04"
init: /sbin/init
run_opts: ""
- distribution: Debian
distribution_version: "9"
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distribution: Debian
distribution_version: "8"
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
before_install:
- sudo apt-get update
- sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
- docker pull ansiblecheck/ansiblecheck:"${distribution,,}"-"${distribution_version}"
script:
- container_id=$(mktemp)
# Start The Built Container In The Background
- docker run -d -v "${PWD}":/etc/ansible/roles/${role}:ro ${run_opts} ansiblecheck/ansiblecheck:"${distribution,,}"-"${distribution_version}" "${init}" > "${container_id}"
# Print ansible version
- docker exec -t "$(cat ${container_id})" env TERM=xterm ansible --version
# Ansible syntax check.
- 'docker exec -t "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/${role}/tests/main.yml --syntax-check'
# Test role.
- 'docker exec "$(cat ${container_id})" env ANSIBLE_FORCE_COLOR=1 ansible-playbook /etc/ansible/roles/${role}/tests/main.yml'
# Test Idempotence
- idempotence=$(mktemp)
- docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/${role}/tests/main.yml | tee -a ${idempotence}
- >
tail ${idempotence}
| grep -q 'failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

5
roles/weareinteractive.apt/.vscode/extensions.json vendored Executable file
View File

@ -0,0 +1,5 @@
{
"recommendations": [
"vscoss.vscode-ansible"
]
}

5
roles/weareinteractive.apt/.vscode/settings.json vendored Executable file
View File

@ -0,0 +1,5 @@
{
"files.associations": {
"*.yml": "ansible"
}
}

230
roles/weareinteractive.apt/CHANGELOG.md Executable file
View File

@ -0,0 +1,230 @@
<a name="2.9.1"></a>
### 2.9.1 (2019-12-08)
#### Bug Fixes
* fix lint error ([65f889bd](https://github.com/weareinteractive/ansible-apt/commit/65f889bd07e3a7fd33e7df42023e7543b8af7c4a))
<a name="2.9.0"></a>
## 2.9.0 (2019-12-08)
#### Bug Fixes
* fix logic with apt_remove_recommends variable ([eaea78e1](https://github.com/weareinteractive/ansible-apt/commit/eaea78e1fb43f86b2a27db23ba121e805de8d835))
<a name="2.8.0"></a>
## 2.8.0 (2019-10-18)
#### Features
* remove depricated apt_remount_filesystem ([7ca12fb4](https://github.com/weareinteractive/ansible-apt/commit/7ca12fb483e0cd8272589e5b1393e4c74611fb2a))
<a name="2.7.0"></a>
## 2.7.0 (2019-09-16)
#### Features
* extend unattended update config Merge branch 'pbessonies-feature/update_unattended_template' ([7b2c0e4f](https://github.com/weareinteractive/ansible-apt/commit/7b2c0e4fadf07feb8ef3a97425a282b38315a44b))
<a name="2.6.1"></a>
### 2.6.1 (2019-09-16)
#### Bug Fixes
* ensure unattended-upgrades package installation ([03740eea](https://github.com/weareinteractive/ansible-apt/commit/03740eea70fdf744256e708798ea048be22a2a9e))
#### Features
* add bool check ([1f9f71d3](https://github.com/weareinteractive/ansible-apt/commit/1f9f71d32df59563ebb2fb40b82ddc2e916e9de8))
<a name="2.5.1"></a>
### 2.5.1 (2019-06-17)
#### Features
* update syntax to ansible 2.8 ([fa5f8740](https://github.com/weareinteractive/ansible-apt/commit/fa5f87400d1d1db233bffcf8ced0b82c6460fd4d))
<a name="2.5.0"></a>
## 2.5.0 (2018-12-12)
#### Features
* add apt pinning ([349d5b09](https://github.com/weareinteractive/ansible-apt/commit/349d5b09a9b90513da4b66829eca1172da692e96))
* added apt pinning ([d66994de](https://github.com/weareinteractive/ansible-apt/commit/d66994de87a291cb5a2ebfe2ed4867e290ad68fb))
<a name="2.4.2"></a>
### 2.4.2 (2018-11-01)
#### Features
* add options to apt_keys and apt_repositories ([f2ce4e0e](https://github.com/weareinteractive/ansible-apt/commit/f2ce4e0e6d41f539610adb34e0ac1093e482677c))
* added options ([bb80fe88](https://github.com/weareinteractive/ansible-apt/commit/bb80fe8804ee2bac18065b89a8abcadc14f0ed9b))
<a name="2.4.1"></a>
### 2.4.1 (2018-11-01)
#### Bug Fixes
* fix deprication warning for ansible 2.7 and apt package loops ([556b6445](https://github.com/weareinteractive/ansible-apt/commit/556b6445e748004846c6e16248d9d92b69afd0c3))
<a name="2.5.0"></a>
## 2.5.0 (2018-10-08)
<a name="2.3.1"></a>
### 2.3.1 (2017-12-18)
#### Bug Fixes
* rename missing include to include_tasks ([da051d29](https://github.com/weareinteractive/ansible-apt/commit/da051d29e279e48061e7e6b41f504a00f1508b16))
<a name="2.3.0"></a>
## 2.3.0 (2017-12-18)
#### Features
* upgrade tasks for ansible 2.4 ([6e5a1ca4](https://github.com/weareinteractive/ansible-apt/commit/6e5a1ca49a855e7c183446cb4a2d817d58bab59f))
<a name="2.2.0"></a>
## 2.2.0 (2017-08-24)
#### Features
* add option to alter solution cost ([cfaf694c](https://github.com/weareinteractive/ansible-apt/commit/cfaf694c6ea921e6d6209db0e851c84dd35c8fe2))
* allow multiple file systems to be remounted ([5cb5a96c](https://github.com/weareinteractive/ansible-apt/commit/5cb5a96cfbdce66f7b5f4d2f7716e1e30279ac98))
<a name="2.1.0"></a>
## 2.1.0 (2017-01-27)
#### Features
* use builtin autoremove option ([87a34935](https://github.com/weareinteractive/ansible-apt/commit/87a34935874f78d4752f2557c9094496eb51a391))
<a name="2.0.3"></a>
### 2.0.3 (2016-08-18)
#### Bug Fixes
* fix proxy config conditions ([27787e80](https://github.com/weareinteractive/ansible-apt/commit/27787e80dc805a828af35b7206aae835e9d8b0aa))
<a name="2.0.2"></a>
### 2.0.2 (2016-04-25)
#### Features
* always get latest unattended-upgrades instead of just present ([a927d6af](https://github.com/weareinteractive/ansible-apt/commit/a927d6afbc0b35481c5eea3623cd5eebf7a3d415))
<a name="2.0.1"></a>
### 2.0.1 (2016-03-22)
#### Features
* escape bare variables ([96525b39](https://github.com/weareinteractive/ansible-apt/commit/96525b393671352973d81abfcb942272f70dc6bd))
<a name="2.0.0"></a>
## 2.0.0 (2016-03-15)
#### Features
* update to ansible 2.0 ([052bc675](https://github.com/weareinteractive/ansible-apt/commit/052bc675f01ded71c7bd9bd7e8154ecb2f600c4a))
<a name="1.8.0"></a>
## 1.8.0 (2016-01-11)
#### Features
* add support for proxy servers ([91ae92f5](https://github.com/weareinteractive/ansible-apt/commit/91ae92f56e7f3fa2f9851adc03235d3985dd7b7e))
<a name="1.7.1"></a>
### 1.7.1 (2015-12-03)
#### Features
* adds variables to configure apt ([3ec652be](https://github.com/weareinteractive/ansible-apt/commit/3ec652be9513b0d8b9b1bb7f317aa6a4c30256ff))
* only adds 50unattended-upgrades config if enabled ([14742e5e](https://github.com/weareinteractive/ansible-apt/commit/14742e5ee87bf135edf8756ce9cd197ca65b346d))
* updates travis tests ([2d1873da](https://github.com/weareinteractive/ansible-apt/commit/2d1873daec0e1b76e4bcafbb898ac63c4b12e91f))
* using ansible-role to generate README ([3abe7246](https://github.com/weareinteractive/ansible-apt/commit/3abe72463af5d4d101570e233d497a96e910e4ea))
* adds CHANGELOG ([5f4c6673](https://github.com/weareinteractive/ansible-apt/commit/5f4c66734445e239fb96faec557a6c5e708cd5b3))
#### Bug Fixes
* fixes quotation marks on 'APT::Periodic::Enable' value ([bf19c900](https://github.com/weareinteractive/ansible-apt/commit/bf19c90034badb1173ad9b204d815d17cd33ba9d))
* fixes the usage of unattended upgrades ([04f25734](https://github.com/weareinteractive/ansible-apt/commit/04f25734fa29aba48ec3f9461c9488785bfe8ae3))
<a name="1.7.0"></a>
## 1.7.0 (2015-11-30)
#### Features
* adds variables to configure apt ([3ec652be](https://github.com/weareinteractive/ansible-apt/commit/3ec652be9513b0d8b9b1bb7f317aa6a4c30256ff))
* only adds 50unattended-upgrades config if enabled ([14742e5e](https://github.com/weareinteractive/ansible-apt/commit/14742e5ee87bf135edf8756ce9cd197ca65b346d))
* updates travis tests ([2d1873da](https://github.com/weareinteractive/ansible-apt/commit/2d1873daec0e1b76e4bcafbb898ac63c4b12e91f))
* using ansible-role to generate README ([3abe7246](https://github.com/weareinteractive/ansible-apt/commit/3abe72463af5d4d101570e233d497a96e910e4ea))
* adds CHANGELOG ([5f4c6673](https://github.com/weareinteractive/ansible-apt/commit/5f4c66734445e239fb96faec557a6c5e708cd5b3))
#### Bug Fixes
* fixes the usage of unattended upgrades ([04f25734](https://github.com/weareinteractive/ansible-apt/commit/04f25734fa29aba48ec3f9461c9488785bfe8ae3))

22
roles/weareinteractive.apt/LICENSE Executable file
View File

@ -0,0 +1,22 @@
Copyright (c) We Are Interactive
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following
conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.

41
roles/weareinteractive.apt/Makefile Executable file
View File

@ -0,0 +1,41 @@
PWD=$(shell pwd)
ROLE_NAME=weareinteractive.apt
ROLE_PATH=/etc/ansible/roles/$(ROLE_NAME)
TEST_VERSION=ansible --version
TEST_SYNTAX=ansible-playbook -v -i 'localhost,' -c local $(ROLE_PATH)/tests/main.yml --syntax-check
TEST_PLAYBOOK=ansible-playbook -v -i 'localhost,' -c local $(ROLE_PATH)/tests/main.yml
TEST_IDEMPOTENT=$(TEST_PLAYBOOK) | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)
TEST_CMD=$(TEST_VERSION); $(TEST_SYNTAX); $(TEST_DEPS); $(TEST_PLAYBOOK); $(TEST_IDEMPOTENT)
docs:
ansible-role docgen
lint:
ansible-lint .
ubuntu%: TEST_DEPS=apt-get update && \
apt-get install -y python
ubuntu18.04: dist=ubuntu-18.04
ubuntu18.04: .run
ubuntu16.04: dist=ubuntu-16.04
ubuntu16.04: .run
ubuntu14.04: dist=ubuntu-14.04
ubuntu14.04: .run
debian%: TEST_DEPS=apt-get update && \
apt-get install -y python
debian9: dist=debian-9
debian9: .run
debian8: dist=debian-8
debian8: .run
.run:
@echo "RUN:"
@echo " docker run -it --rm -v $(PWD):$(ROLE_PATH) ansiblecheck/ansiblecheck:$(dist) /bin/bash"
@echo " $(TEST_CMD)"
@docker run -it --rm -v $(PWD):$(ROLE_PATH) ansiblecheck/ansiblecheck:$(dist) /bin/bash -c "$(TEST_CMD)"

268
roles/weareinteractive.apt/README.md Executable file
View File

@ -0,0 +1,268 @@
# Ansible weareinteractive.apt role
[![Build Status](https://img.shields.io/travis/weareinteractive/ansible-apt.svg)](https://travis-ci.org/weareinteractive/ansible-apt)
[![Galaxy](http://img.shields.io/badge/galaxy-weareinteractive.apt-blue.svg)](https://galaxy.ansible.com/weareinteractive/apt)
[![GitHub Tags](https://img.shields.io/github/tag/weareinteractive/ansible-apt.svg)](https://github.com/weareinteractive/ansible-apt)
[![GitHub Stars](https://img.shields.io/github/stars/weareinteractive/ansible-apt.svg)](https://github.com/weareinteractive/ansible-apt)
> `weareinteractive.apt` is an [Ansible](http://www.ansible.com) role which:
>
> * updates apt
> * cleans up apt
> * configures apt
> * installs packages
> * add repositories
> * add keys
> * apt pinning
> * manages unattended upgrades
> * optionally alters solution cost
> * optionally allows filesystems to be remounted
**Note:**
> Since Ansible Galaxy supports [organization](https://www.ansible.com/blog/ansible-galaxy-2-release) now, this role has moved from `franklinkim.apt` to `weareinteractive.apt`!
## Installation
Using `ansible-galaxy`:
```shell
$ ansible-galaxy install weareinteractive.apt
```
Using `requirements.yml`:
```yaml
- src: weareinteractive.apt
```
Using `git`:
```shell
$ git clone https://github.com/weareinteractive/ansible-apt.git weareinteractive.apt
```
## Dependencies
* Ansible >= 2.4
## Variables
Here is a list of all the default variables for this role, which are also available in `defaults/main.yml`.
```yaml
---
# apt_unattended_upgrades_blacklist:
# - vim
# - libc6
# apt_mails:
# - root
# - foo@dev.null
# apt_keys:
# - id: 473041FA
# file: /tmp/apt.gpg
# data: "{{ lookup('file', 'apt.asc') }}"
# keyring: /etc/apt/trusted.gpg.d/debian.gpg
# keyserver: keyserver.ubuntu.com
# url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
# validate_certs: yes
# state: present
# apt_repositories:
# - codename: trusty
# filename: google-chrome
# mode: 0644
# repo: 'ppa:nginx/stable'
# state: present
# update_cache: yes
# sets the amount of time the cache is valid
apt_cache_valid_time: 3600
# upgrade system: safe | full | dist
apt_upgrade: no
# packages to install
apt_packages: []
# remove packages that are no longer needed for dependencies
apt_autoremove: yes
# remove .deb files for packages no longer on your system
apt_autoclean: yes
# .deb packages to install.
apt_deb_packages: []
# whether or not suggested packages should be installed.
apt_install_suggests: no
# do not install Recommended packages by default
apt_install_recommends: no
# allow 'apt-get autoremove' to remove recommended packages
apt_remove_recommends: no
# Enable the update/upgrade script
apt_periodic: yes
# Do “apt-get update” automatically every n-days (0=disable)
apt_update_package_lists: 1
# Do “apt-get upgrade download-only” every n-days (0=disable)
apt_download_upgradeable_packages: 0
# Do “apt-get autoclean” every n-days (0=disable)
apt_auto_clean_interval: 0
# enable unattended-upgrades
apt_unattended_upgrades: yes
# list of origins patterns to control which packages are upgraded
# replaces allowed-origins, kept for compatibility
apt_unattended_upgrades_origins: []
# List of allowed-origins, default value kept for compatibility
# set to null to use origins-pattern
apt_unattended_upgrades_allowed:
- ${distro_id}:${distro_codename}-security
# list of packages to not update (regexp are supported)
apt_unattended_upgrades_blacklist: []
# Split the upgrade into the smallest possible chunks so that
# they can be interrupted with SIGUSR1. This makes the upgrade
# a bit slower but it has the benefit that shutdown while a upgrade
# is running is possible (with a small delay)
apt_unattended_upgrades_minimal_steps: no
# Send email to this address for problems or packages upgrades
# If empty or unset then no email is sent, make sure that you
# have a working mail setup on your system. A package that provides
# 'mailx' must be installed. E.g. "user@example.com"
apt_mails: []
# Set this value to "true" to get emails only on errors. Default
# is to always send a mail if Unattended-Upgrade::Mail is set
apt_unattended_upgrades_notify_error_only: yes
# Do automatic removal of new unused dependencies after the upgrade
# (equivalent to apt-get autoremove)
apt_unattended_upgrades_autoremove: yes
# Automatically reboot *WITHOUT CONFIRMATION*
# if the file /var/run/reboot-required is found after the upgrade
apt_unattended_upgrades_automatic_reboot: no
# Automatically reboot even if there are users currently logged in.
apt_unattended_upgrades_automatic_reboot_with_users: no
# If automatic reboot is enabled and needed, reboot at the specific
# time instead of immediately
# Values: now | 02:00 | ...
apt_unattended_upgrades_automatic_reboot_time: now
# Enable logging to syslog.
apt_unattended_upgrades_syslog_enable: no
# Specify syslog facility.
apt_unattended_upgrades_syslog_facility: daemon
# Override download timer ? Default no
apt_unattended_upgrades_download_timer_override: null
# In case of override :
# apt_unattended_upgrades_download_timer_override:
# on_calendar_replace: (true|false) If true, delete default system schedule. If not, default and new schedules will be merged
# on_calendar: new schedule, see man systemd.time.7, example : 'Mon..Fri *-*-* 6:00'
# randomized_delay_sec: random delay in sec
# persistent: (true|false)
# See systemd.time.5 for random delay and persistent
# Override upgrade timer the same way
apt_unattended_upgrades_upgrade_timer_override: null
# apt_unattended_upgrades_upgrade_timer_override:
# on_calendar_replace:
# on_calendar:
# randomized_delay_sec:
# persistent:
# remount file system: currently supported options are rootfs and tmpfs
# tmpfs: remount tmp before running if mounted noexec
# rootfs: remount root filesystem r/w before running if mounted r/o
apt_remount_filesystems: []
# repositories to register
apt_repositories: []
# gpg keys for external repositories
apt_keys: []
# HTTP proxy server (optional)
# apt_http_proxy_address:
# HTTP pipeline depth (optional)
# apt_http_pipeline_depth: 5
# Change Aptitudes solution costs, default is not to change anything
# Mirror https://lists.debian.org/543FF3BD.1020609@zen.co.uk
# apt_aptitude_solution_cost:
# - priority
# - removals
# - canceled-actions
apt_aptitude_solution_cost: []
# List of preferences options.
# apt_preferences:
# - file: perl
# package: perl
# pin: "version 5.20*"
# priority: 1001
apt_preferences: []
```
## Handlers
These are the handlers that are defined in `handlers/main.yml`.
```yaml
---
- name: reload systemd
systemd:
daemon_reload: true
```
## Usage
This is an example playbook:
```yaml
---
- hosts: all
become: yes
roles:
- weareinteractive.apt
vars:
apt_cache_valid_time: 7200
apt_packages:
- vim
- tree
- ca-certificates
apt_deb_packages:
- "https://releases.hashicorp.com/vagrant/2.1.5/vagrant_2.1.5_x86_64.deb"
apt_mails:
- root
apt_preferences:
- file: perl
package: perl
pin: "version 5.20*"
priority: 1001
apt_unattended_upgrades_notify_error_only: no
```
## Testing
```shell
$ git clone https://github.com/weareinteractive/ansible-apt.git
$ cd ansible-apt
$ make test
```
## Contributing
In lieu of a formal style guide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality.
1. Fork it
2. Create your feature branch (`git checkout -b my-new-feature`)
3. Commit your changes (`git commit -am 'Add some feature'`)
4. Push to the branch (`git push origin my-new-feature`)
5. Create new Pull Request
*Note: To update the `README.md` file please install and run `ansible-role`:*
```shell
$ gem install ansible-role
$ ansible-role docgen
```
## License
Copyright (c) We Are Interactive under the MIT license.

141
roles/weareinteractive.apt/defaults/main.yml Executable file
View File

@ -0,0 +1,141 @@
---
# apt_unattended_upgrades_blacklist:
# - vim
# - libc6
# apt_mails:
# - root
# - foo@dev.null
# apt_keys:
# - id: 473041FA
# file: /tmp/apt.gpg
# data: "{{ lookup('file', 'apt.asc') }}"
# keyring: /etc/apt/trusted.gpg.d/debian.gpg
# keyserver: keyserver.ubuntu.com
# url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
# validate_certs: yes
# state: present
# apt_repositories:
# - codename: trusty
# filename: google-chrome
# mode: 0644
# repo: 'ppa:nginx/stable'
# state: present
# update_cache: yes
# sets the amount of time the cache is valid
apt_cache_valid_time: 3600
# upgrade system: safe | full | dist
apt_upgrade: no
# packages to install
apt_packages: []
# remove packages that are no longer needed for dependencies
apt_autoremove: yes
# remove .deb files for packages no longer on your system
apt_autoclean: yes
# .deb packages to install.
apt_deb_packages: []
# whether or not suggested packages should be installed.
apt_install_suggests: no
# do not install Recommended packages by default
apt_install_recommends: no
# allow 'apt-get autoremove' to remove recommended packages
apt_remove_recommends: no
# Enable the update/upgrade script
apt_periodic: yes
# Do “apt-get update” automatically every n-days (0=disable)
apt_update_package_lists: 1
# Do “apt-get upgrade download-only” every n-days (0=disable)
apt_download_upgradeable_packages: 0
# Do “apt-get autoclean” every n-days (0=disable)
apt_auto_clean_interval: 0
# enable unattended-upgrades
apt_unattended_upgrades: yes
# list of origins patterns to control which packages are upgraded
# replaces allowed-origins, kept for compatibility
apt_unattended_upgrades_origins: []
# List of allowed-origins, default value kept for compatibility
# set to null to use origins-pattern
apt_unattended_upgrades_allowed:
- ${distro_id}:${distro_codename}-security
# list of packages to not update (regexp are supported)
apt_unattended_upgrades_blacklist: []
# Split the upgrade into the smallest possible chunks so that
# they can be interrupted with SIGUSR1. This makes the upgrade
# a bit slower but it has the benefit that shutdown while a upgrade
# is running is possible (with a small delay)
apt_unattended_upgrades_minimal_steps: no
# Send email to this address for problems or packages upgrades
# If empty or unset then no email is sent, make sure that you
# have a working mail setup on your system. A package that provides
# 'mailx' must be installed. E.g. "user@example.com"
apt_mails: []
# Set this value to "true" to get emails only on errors. Default
# is to always send a mail if Unattended-Upgrade::Mail is set
apt_unattended_upgrades_notify_error_only: yes
# Do automatic removal of new unused dependencies after the upgrade
# (equivalent to apt-get autoremove)
apt_unattended_upgrades_autoremove: yes
# Automatically reboot *WITHOUT CONFIRMATION*
# if the file /var/run/reboot-required is found after the upgrade
apt_unattended_upgrades_automatic_reboot: no
# Automatically reboot even if there are users currently logged in.
apt_unattended_upgrades_automatic_reboot_with_users: no
# If automatic reboot is enabled and needed, reboot at the specific
# time instead of immediately
# Values: now | 02:00 | ...
apt_unattended_upgrades_automatic_reboot_time: now
# Enable logging to syslog.
apt_unattended_upgrades_syslog_enable: no
# Specify syslog facility.
apt_unattended_upgrades_syslog_facility: daemon
# Override download timer ? Default no
apt_unattended_upgrades_download_timer_override: null
# In case of override :
# apt_unattended_upgrades_download_timer_override:
# on_calendar_replace: (true|false) If true, delete default system schedule. If not, default and new schedules will be merged
# on_calendar: new schedule, see man systemd.time.7, example : 'Mon..Fri *-*-* 6:00'
# randomized_delay_sec: random delay in sec
# persistent: (true|false)
# See systemd.time.5 for random delay and persistent
# Override upgrade timer the same way
apt_unattended_upgrades_upgrade_timer_override: null
# apt_unattended_upgrades_upgrade_timer_override:
# on_calendar_replace:
# on_calendar:
# randomized_delay_sec:
# persistent:
# remount file system: currently supported options are rootfs and tmpfs
# tmpfs: remount tmp before running if mounted noexec
# rootfs: remount root filesystem r/w before running if mounted r/o
apt_remount_filesystems: []
# repositories to register
apt_repositories: []
# gpg keys for external repositories
apt_keys: []
# HTTP proxy server (optional)
# apt_http_proxy_address:
# HTTP pipeline depth (optional)
# apt_http_pipeline_depth: 5
# Change Aptitudes solution costs, default is not to change anything
# Mirror https://lists.debian.org/543FF3BD.1020609@zen.co.uk
# apt_aptitude_solution_cost:
# - priority
# - removals
# - canceled-actions
apt_aptitude_solution_cost: []
# List of preferences options.
# apt_preferences:
# - file: perl
# package: perl
# pin: "version 5.20*"
# priority: 1001
apt_preferences: []

5
roles/weareinteractive.apt/handlers/main.yml Executable file
View File

@ -0,0 +1,5 @@
---
- name: reload systemd
systemd:
daemon_reload: true

2
roles/weareinteractive.apt/meta/.galaxy_install_info Executable file
View File

@ -0,0 +1,2 @@
install_date: Sat Jan 11 17:32:26 2020
version: 2.9.1

142
roles/weareinteractive.apt/meta/main.yml Executable file
View File

@ -0,0 +1,142 @@
---
galaxy_info:
author: franklin
company: We Are Interactive
description: Configures apt and installs/updates packages
min_ansible_version: 2.4
license: MIT
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If travis integration is cofigured, only notification for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
github_branch: master
#
# Below are all platforms currently available. Just uncomment
# the ones that apply to your role. If you don't see your
# platform on this list, let us know and we'll get it added!
#
platforms:
#- name: EL
# versions:
# - all
# - 5
# - 6
# - 7
#- name: GenericUNIX
# versions:
# - all
# - any
#- name: Solaris
# versions:
# - all
# - 10
# - 11.0
# - 11.1
# - 11.2
# - 11.3
#- name: Fedora
# versions:
# - all
# - 16
# - 17
# - 18
# - 19
# - 20
# - 21
# - 22
# - 23
#- name: Windows
# versions:
# - all
# - 2012R2
#- name: SmartOS
# versions:
# - all
# - any
#- name: opensuse
# versions:
# - all
# - 12.1
# - 12.2
# - 12.3
# - 13.1
# - 13.2
#- name: Amazon
# versions:
# - all
# - 2013.03
# - 2013.09
#- name: GenericBSD
# versions:
# - all
# - any
#- name: FreeBSD
# versions:
# - all
# - 10.0
# - 10.1
# - 10.2
# - 8.0
# - 8.1
# - 8.2
# - 8.3
# - 8.4
# - 9.0
# - 9.1
# - 9.1
# - 9.2
# - 9.3
- name: Ubuntu
versions:
- all
# - lucid
# - maverick
# - natty
# - oneiric
# - precise
# - quantal
# - raring
# - saucy
# - trusty
# - utopic
# - vivid
# - wily
#- name: SLES
# versions:
# - all
# - 10SP3
# - 10SP4
# - 11
# - 11SP1
# - 11SP2
# - 11SP3
#- name: GenericLinux
# versions:
# - all
# - any
- name: Debian
versions:
- all
# - etch
# - jessie
# - lenny
# - squeeze
# - wheezy
#
# List tags for your role here, one per line. A tag is
# a keyword that describes and categorizes the role.
# Users find roles by searching for tags. Be sure to
# remove the '[]' above if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of
# alphanumeric characters. Maximum 20 tags per role.
galaxy_tags:
- system
- apt
# List your role dependencies here, one per line. Only
# dependencies available via galaxy should be listed here.
# Be sure to remove the '[]' above if you add dependencies
# to this list.
dependencies: []

25
roles/weareinteractive.apt/meta/readme.yml Executable file
View File

@ -0,0 +1,25 @@
---
galaxy_name: weareinteractive.apt
github_user: weareinteractive
github_name: ansible-apt
badges: |
[![Build Status](https://img.shields.io/travis/weareinteractive/ansible-apt.svg)](https://travis-ci.org/weareinteractive/ansible-apt)
[![Galaxy](http://img.shields.io/badge/galaxy-weareinteractive.apt-blue.svg)](https://galaxy.ansible.com/weareinteractive/apt)
[![GitHub Tags](https://img.shields.io/github/tag/weareinteractive/ansible-apt.svg)](https://github.com/weareinteractive/ansible-apt)
[![GitHub Stars](https://img.shields.io/github/stars/weareinteractive/ansible-apt.svg)](https://github.com/weareinteractive/ansible-apt)
description: |
> * updates apt
> * cleans up apt
> * configures apt
> * installs packages
> * add repositories
> * add keys
> * apt pinning
> * manages unattended upgrades
> * optionally alters solution cost
> * optionally allows filesystems to be remounted
**Note:**
> Since Ansible Galaxy supports [organization](https://www.ansible.com/blog/ansible-galaxy-2-release) now, this role has moved from `franklinkim.apt` to `weareinteractive.apt`!

65
roles/weareinteractive.apt/tasks/config.yml Executable file
View File

@ -0,0 +1,65 @@
---
- name: Configuring APT
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
with_items:
- "etc/apt/apt.conf.d/10general"
- "etc/apt/apt.conf.d/10periodic"
- name: Configuring APT
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
when: apt_unattended_upgrades | bool
with_items:
- "etc/apt/apt.conf.d/50unattended-upgrades"
- name: Configuring APT Download timer
include_tasks: unattended_upgrades_download_timer.yml
when: apt_unattended_upgrades_download_timer_override is not none
- name: Configuring APT Upgrade timer
include_tasks: unattended_upgrades_upgrade_timer.yml
when: apt_unattended_upgrades_upgrade_timer_override is not none
- name: Configuring remount filesystems
template:
src: "etc/apt/apt.conf.d/10remount_{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/10remount_{{ item }}"
owner: "root"
group: "root"
mode: "0644"
when: apt_remount_filesystems | bool
with_items:
- "{{ apt_remount_filesystems }}"
- name: Configuring APT proxy behavior
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
when: apt_http_proxy_address is defined or apt_https_proxy_address is defined
with_items:
- "etc/apt/apt.conf.d/00proxy"
- name: Alter Aptitude solution costs
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
when: apt_aptitude_solution_cost | bool
with_items:
- "etc/apt/apt.conf.d/20alter-aptitude-solution-cost"

7
roles/weareinteractive.apt/tasks/debs.yml Executable file
View File

@ -0,0 +1,7 @@
---
- name: Installing .deb packages
apt:
deb: "{{ item }}"
autoremove: "{{ apt_autoremove }}"
with_items: "{{ apt_deb_packages }}"

11
roles/weareinteractive.apt/tasks/dependencies.yml Executable file
View File

@ -0,0 +1,11 @@
---
- name: Installing required packages
apt:
name: "{{ packages }}"
state: present
vars:
packages:
- aptitude
- python-apt
- python-pycurl

6
roles/weareinteractive.apt/tasks/install.yml Executable file
View File

@ -0,0 +1,6 @@
---
- include_tasks: update.yml
- include_tasks: upgrade.yml
- include_tasks: dependencies.yml
- include_tasks: unattended_upgrades.yml

13
roles/weareinteractive.apt/tasks/keys.yml Executable file
View File

@ -0,0 +1,13 @@
---
- name: Adding apt signing key
apt_key:
id: "{{ item.id | default(omit) }}"
file: "{{ item.file | default(omit) }}"
data: "{{ item.data | default(omit) }}"
keyring: "{{ item.keyring | default(omit) }}"
keyserver: "{{ item.keyserver | default(omit) }}"
url: "{{ item.url | default(omit) }}"
validate_certs: "{{ item.validate_certs | default(omit) }}"
state: "{{ item.state | default('present') }}"
with_items: "{{ apt_keys }}"

22
roles/weareinteractive.apt/tasks/main.yml Executable file
View File

@ -0,0 +1,22 @@
---
- import_tasks: config.yml
tags:
- system
- apt
- config
- apt-config
- import_tasks: install.yml
tags:
- system
- apt
- install
- apt-install
- import_tasks: manage.yml
tags:
- system
- apt
- manage
- apt-manage

7
roles/weareinteractive.apt/tasks/manage.yml Executable file
View File

@ -0,0 +1,7 @@
---
- include_tasks: keys.yml
- include_tasks: repositories.yml
- include_tasks: preferences.yml
- include_tasks: packages.yml
- include_tasks: debs.yml

7
roles/weareinteractive.apt/tasks/packages.yml Executable file
View File

@ -0,0 +1,7 @@
---
- name: Installing packages
apt:
name: "{{ apt_packages }}"
state: present
autoremove: "{{ apt_autoremove }}"

10
roles/weareinteractive.apt/tasks/preferences.yml Executable file
View File

@ -0,0 +1,10 @@
---
- name: Configuring APT preferences
template:
src: etc/apt/preferences.d/preferences.j2
dest: "/etc/apt/preferences.d/{{ item.file }}"
owner: root
group: root
mode: 0644
with_items: "{{ apt_preferences }}"

11
roles/weareinteractive.apt/tasks/repositories.yml Executable file
View File

@ -0,0 +1,11 @@
---
- name: Adding apt repository
apt_repository:
codename: "{{ item.codename | default(omit) }}"
filename: "{{ item.filename | default(omit) }}"
mode: "{{ item.mode | default(omit) }}"
repo: "{{ item.repo | default(omit) }}"
state: "{{ item.state | default(omit) }}"
update_cache: "{{ item.update_cache | default('yes') }}"
with_items: "{{ apt_repositories }}"

7
roles/weareinteractive.apt/tasks/unattended_upgrades.yml Executable file
View File

@ -0,0 +1,7 @@
---
- name: Installing packages
apt:
pkg: "unattended-upgrades"
state: "{{ 'latest' if apt_unattended_upgrades else 'absent' }}"
when: apt_unattended_upgrades | bool

20
roles/weareinteractive.apt/tasks/unattended_upgrades_download_timer.yml Executable file
View File

@ -0,0 +1,20 @@
---
- name: Creating Download timer directory
file:
path: "/etc/systemd/system/apt-daily.timer.d"
state: directory
owner: root
group: root
mode: "0755"
- name: Configuring Download timer
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
with_items:
- "etc/systemd/system/apt-daily.timer.d/override.conf"
notify: reload systemd

20
roles/weareinteractive.apt/tasks/unattended_upgrades_upgrade_timer.yml Executable file
View File

@ -0,0 +1,20 @@
---
- name: Creating Upgrade timer directory
file:
path: "/etc/systemd/system/apt-daily-upgrade.timer.d"
state: directory
owner: root
group: root
mode: "0755"
- name: Configuring Upgrade timer
template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
with_items:
- "etc/systemd/system/apt-daily-upgrade.timer.d/override.conf"
notify: reload systemd

6
roles/weareinteractive.apt/tasks/update.yml Executable file
View File

@ -0,0 +1,6 @@
---
- name: Updating cache
apt:
update_cache: yes
cache_valid_time: "{{ apt_cache_valid_time }}"

8
roles/weareinteractive.apt/tasks/upgrade.yml Executable file
View File

@ -0,0 +1,8 @@
---
- name: Upgrading system
apt:
upgrade: "{{ apt_upgrade }}"
update_cache: yes
autoremove: "{{ apt_autoremove }}"
when: (apt_upgrade == "safe") or (apt_upgrade == "full") or (apt_upgrade == "dist")

11
roles/weareinteractive.apt/templates/etc/apt/apt.conf.d/00proxy.j2 Executable file
View File

@ -0,0 +1,11 @@
// {{ ansible_managed }}
{% if apt_http_proxy_address is defined and apt_http_proxy_address %}
Acquire::http::Proxy "{{ apt_http_proxy_address }}";
{% endif %}
{% if apt_https_proxy_address is defined and apt_https_proxy_address %}
Acquire::https::Proxy "{{ apt_https_proxy_address }}";
{% endif %}
{% if apt_http_pipeline_depth is defined and apt_http_pipeline_depth %}
Acquire::http::Pipeline-Depth "{{ apt_http_pipeline_depth }}";
{% endif %}

12
roles/weareinteractive.apt/templates/etc/apt/apt.conf.d/10general.j2 Executable file
View File

@ -0,0 +1,12 @@
// {{ ansible_managed }}
// Install Recommended packages by default
APT::Install-Recommends "{{ apt_install_recommends | to_nice_json }}";
// Allow 'apt-get autoremove' to remove recommended packages
APT::AutoRemove::RecommendsImportant "{{ "false" if apt_remove_recommends else "true" }}";
// Install Suggested packages by default
APT::Install-Suggests "{{ apt_install_suggests | to_nice_json }}";
APT::Get::Show-Upgraded "true";

18
roles/weareinteractive.apt/templates/etc/apt/apt.conf.d/10periodic.j2 Executable file
View File

@ -0,0 +1,18 @@
// {{ ansible_managed }}
// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "{{ apt_periodic | int}}";
// Do “apt-get update” automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "{{ apt_update_package_lists }}";
// Do “apt-get upgrade download-only” every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "{{ apt_download_upgradeable_packages }}";
// Do “apt-get autoclean” every n-days (0=disable)
APT::Periodic::AutocleanInterval "{{ apt_auto_clean_interval }}";
// Run the “unattended-upgrade” security upgrade script every n-days (0=disabled)
// Requires the package “unattended-upgrades” and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "{{ apt_unattended_upgrades | int }}";

7
roles/weareinteractive.apt/templates/etc/apt/apt.conf.d/10remount_rootfs.j2 Executable file
View File

@ -0,0 +1,7 @@
// {{ ansible_managed }}
DPkg {
// Auto re-mounting of a readonly /
Pre-Invoke { "mount -o remount,rw LABEL=ROOTFS /"; };
Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o remount,ro LABEL=ROOTFS / || true"; };
};

7
roles/weareinteractive.apt/templates/etc/apt/apt.conf.d/10remount_tmpfs.j2 Executable file
View File

@ -0,0 +1,7 @@
// {{ ansible_managed }}
DPkg {
// Auto re-mounting of a noexec /tmp since some packages desire exec
Pre-Invoke { "mount -o remount,exec /tmp"; };
Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o remount,noexec /tmp || true"; };
};

5
roles/weareinteractive.apt/templates/etc/apt/apt.conf.d/20alter-aptitude-solution-cost.j2 Executable file
View File

@ -0,0 +1,5 @@
# {{ ansible_managed }}
Aptitude::ProblemResolver {
SolutionCost "{{ apt_aptitude_solution_cost | join(", ") }}";
}

76
roles/weareinteractive.apt/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 Executable file
View File

@ -0,0 +1,76 @@
// {{ ansible_managed }}
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded. Replace Allowed-Origins
Unattended-Upgrade::Origins-Pattern {
{% for origin in apt_unattended_upgrades_origins %}
"{{ origin }}";
{% endfor %}
};
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
{% for allowed in apt_unattended_upgrades_allowed %}
"{{ allowed }}";
{% endfor %}
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
{% for package in apt_unattended_upgrades_blacklist %}
"{{ package }}";
{% endfor %}
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "{{ apt_unattended_upgrades_minimal_steps | to_nice_json }}";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "{{ apt_mails | join(',') }}";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "{{ apt_unattended_upgrades_notify_error_only | to_nice_json }}";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "{{ apt_unattended_upgrades_autoremove | to_nice_json }}";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "{{ apt_unattended_upgrades_automatic_reboot | to_nice_json }}";
// Automatically reboot even if there are users currently logged in.
Unattended-Upgrade::Automatic-Reboot-WithUsers "{{ apt_unattended_upgrades_automatic_reboot_with_users | to_nice_json }}";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "{{ apt_unattended_upgrades_automatic_reboot_time }}";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
Unattended-Upgrade::SyslogEnable "{{ apt_unattended_upgrades_syslog_enable | to_nice_json }}";
// Specify syslog facility. Default is daemon
Unattended-Upgrade::SyslogFacility "{{ apt_unattended_upgrades_syslog_facility }}";

5
roles/weareinteractive.apt/templates/etc/apt/preferences.d/preferences.j2 Executable file
View File

@ -0,0 +1,5 @@
# {{ ansible_managed }}
Package: {{ item.package | default('*') }}
Pin: {{ item.pin }}
Pin-Priority: {{ item.priority }}

13
roles/weareinteractive.apt/templates/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf.j2 Executable file
View File

@ -0,0 +1,13 @@
[Timer]
{% if apt_unattended_upgrades_upgrade_timer_override.on_calendar_replace is defined and apt_unattended_upgrades_upgrade_timer_override.on_calendar_replace|bool %}
OnCalendar=
{% endif %}
{% if apt_unattended_upgrades_upgrade_timer_override.on_calendar is defined %}
OnCalendar={{ apt_unattended_upgrades_upgrade_timer_override.on_calendar }}
{% endif %}
{% if apt_unattended_upgrades_upgrade_timer_override.randomized_delay_sec is defined %}
RandomizedDelaySec={{ apt_unattended_upgrades_upgrade_timer_override.randomized_delay_sec }}
{% endif %}
{% if apt_unattended_upgrades_upgrade_timer_override.persistent is defined %}
Persistent={{ apt_unattended_upgrades_upgrade_timer_override.persistent }}
{% endif %}

13
roles/weareinteractive.apt/templates/etc/systemd/system/apt-daily.timer.d/override.conf.j2 Executable file
View File

@ -0,0 +1,13 @@
[Timer]
{% if apt_unattended_upgrades_download_timer_override.on_calendar_replace is defined and apt_unattended_upgrades_download_timer_override.on_calendar_replace|bool %}
OnCalendar=
{% endif %}
{% if apt_unattended_upgrades_download_timer_override.on_calendar is defined %}
OnCalendar={{ apt_unattended_upgrades_download_timer_override.on_calendar }}
{% endif %}
{% if apt_unattended_upgrades_download_timer_override.randomized_delay_sec is defined %}
RandomizedDelaySec={{ apt_unattended_upgrades_download_timer_override.randomized_delay_sec }}
{% endif %}
{% if apt_unattended_upgrades_download_timer_override.persistent is defined %}
Persistent={{ apt_unattended_upgrades_download_timer_override.persistent }}
{% endif %}

22
roles/weareinteractive.apt/tests/main.yml Executable file
View File

@ -0,0 +1,22 @@
---
- hosts: all
become: yes
roles:
- weareinteractive.apt
vars:
apt_cache_valid_time: 7200
apt_packages:
- vim
- tree
- ca-certificates
apt_deb_packages:
- "https://releases.hashicorp.com/vagrant/2.1.5/vagrant_2.1.5_x86_64.deb"
apt_mails:
- root
apt_preferences:
- file: perl
package: perl
pin: "version 5.20*"
priority: 1001
apt_unattended_upgrades_notify_error_only: no