diff --git a/handlers/main.yml b/handlers/main.yml index 0f715641790daf5554c32ec00606fdbd7ec1cce5..0ddcfd79da37ac9039b5a5c4fa274e049b62468a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,6 @@ --- - name: save iptables rules (Debian) + when: ansible_os_family == "Debian" block: - name: Ordner für iptables-Config erstellen ansible.builtin.file: @@ -18,9 +19,9 @@ - name: save iptables rules ansible.builtin.command: 'netfilter-persistent save' # noqa no-changed-when listen: "save iptables rules" - when: ansible_os_family == "Debian" - name: save iptables rules (RedHat) + when: ansible_os_family == "RedHat" block: - name: make sure iptables config file exists ansible.builtin.file: @@ -34,7 +35,6 @@ - name: save rules ansible.builtin.command: /usr/sbin/iptables-save # noqa no-changed-when listen: "save iptables rules" - when: ansible_os_family == "RedHat" - name: restart exim ansible.builtin.systemd: diff --git a/meta/main.yml b/meta/main.yml index f47f99bdd7ad9e12fbf679cdcd1544d8888d8cf5..9a8cd50b1a28ca8dd6073ff4403a9b5ec8a84f84 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,5 +1,7 @@ --- galaxy_info: + role_name: "ansible_lza_install_common" + namespace: "slub" author: Jörg Sachse company: SLUB Dresden description: role to deploy a base install of Debian for use in the SLUBarchiv digital preservation repository diff --git a/molecule/resources/playbooks/verify.yml b/molecule/resources/playbooks/verify.yml index e707420ab5c87edfa59c7805ce4534ff1b387177..a5cfa75e4c765f52891877bfca5f823b69a2c23b 100644 --- a/molecule/resources/playbooks/verify.yml +++ b/molecule/resources/playbooks/verify.yml @@ -5,6 +5,6 @@ hosts: all gather_facts: false tasks: - - name: Example assertion - ansible.builtin.assert: - that: true + - name: Example assertion + ansible.builtin.assert: + that: true diff --git a/site.yml b/site.yml index a461d4a962aa1d651cb9960d1ad45f8228fd0ea3..c3c91c9915704ada8ae6aba3a0bfed32a8defac2 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,9 @@ --- -- hosts: "*" +- name: "install generic base server" + hosts: "*" pre_tasks: - name: Verify that the installed version of Ansible meets this playbook's version requirements. - assert: + ansible.builtin.assert: that: "ansible_version.full is version_compare('2.2', '>=')" msg: > "You must update Ansible to at least 2.2 to use this playbook." @@ -24,4 +25,4 @@ strategy: linear roles: - - { role: ansible_lza_install_common, become: true } + - { role: "ansible_lza_install_common", become: true } diff --git a/tasks/configure_autoupdate.yml b/tasks/configure_autoupdate.yml index 33877ce591607f6e9f6e439af21155095edaf739..caf98859009abc3c9d66a0317b26bcd690c1d14a 100644 --- a/tasks/configure_autoupdate.yml +++ b/tasks/configure_autoupdate.yml @@ -1,5 +1,6 @@ --- - name: remove apt-cron autoupdate (Debian) + when: ansible_os_family == "Debian" block: - name: Uninstall autoupdate packages (Debian) ansible.builtin.apt: @@ -13,11 +14,11 @@ - "/etc/cron-apt/action.d/3-download" - "/etc/cron-apt/config" - "/etc/cron.d/cron-apt" - when: ansible_os_family == "Debian" # unattended-upgrades is the default in Debian 11 and new GUBS installations # anyway, so we use it instead of cron-apt. - name: Install & configure unattended-upgrades (Debian/Ubuntu) + when: ansible_os_family == "Debian" block: - name: install unattended-upgrades ansible.builtin.apt: @@ -49,10 +50,10 @@ ansible.builtin.file: path: "/etc/apt/apt.conf.d/51only-security-upgrades" state: absent - when: ansible_os_family == "Debian" # based on: https://access.redhat.com/solutions/2823901 - name: Install & configurate autoupdate (RedHat) + when: ansible_os_family == "RedHat" block: - name: include vars yum-cron.yml ansible.builtin.include_vars: "yum-cron.yml" @@ -70,4 +71,3 @@ owner: "root" group: "root" mode: "0644" - when: ansible_os_family == "RedHat" diff --git a/tasks/configure_package_repositories.yml b/tasks/configure_package_repositories.yml index 080841b9d7681f9ecd145203a4bff34020f29892..f13eb07a4be99bfa0a5ce244ceb869f0c3d27cef 100644 --- a/tasks/configure_package_repositories.yml +++ b/tasks/configure_package_repositories.yml @@ -1,5 +1,6 @@ --- - name: configure Debian repositories + when: "ansible_facts['distribution'] == 'Debian'" block: - name: öffentlichen Schlüssel hinzufügen (sonst muss bei jeder Installation eine Warnmeldung bestätigt werden) ansible.builtin.apt_key: @@ -12,7 +13,6 @@ state: present update_cache: "yes" mode: "0644" - when: "ansible_facts['distribution'] == 'Debian'" - name: add custom repositories ansible.builtin.yum_repository: diff --git a/tasks/configure_ssh_keys.yml b/tasks/configure_ssh_keys.yml index b3a91bf63134f82014dec6b510d6b8a8f6aadc23..4e39d1587669751ec5dcf5ae1da42894f39fb230 100644 --- a/tasks/configure_ssh_keys.yml +++ b/tasks/configure_ssh_keys.yml @@ -1,6 +1,6 @@ --- - name: gültige SSH-Keys für Public-Key Authentication einspielen (HUMAN_USERS) - ansible.builtin.authorized_key: + ansible.posix.authorized_key: user: "{{ item.key }}" comment: "{{ item.value.ssh_comment_current | default('') }}" key: "{{ item.value.ssh_key_current | default('') }}" @@ -9,7 +9,7 @@ when: item.value.state != "absent" - name: gültige SSH-Keys für Public-Key Authentication einspielen (ROBOT_USERS) - ansible.builtin.authorized_key: + ansible.posix.authorized_key: user: "{{ item.key }}" comment: "{{ item.value.ssh_comment_current | default('') }}" key: "{{ item.value.ssh_key_current | default('') }}" @@ -18,7 +18,7 @@ when: item.value.state != "absent" - name: alle gültigen SSH-Keys zum Installationsuser hinzufügen - ansible.builtin.authorized_key: + ansible.posix.authorized_key: user: "{{ vault_install_username }}" comment: "{{ item.value.ssh_comment_current | default('') }}" key: "{{ item.value.ssh_key_current | default('') }}" diff --git a/tasks/configure_swap.yml b/tasks/configure_swap.yml index 2862af15d9b7acb26811c89a82894ae1e301f662..3ee20f7d3246817a02ed85595ed378589b5c741a 100644 --- a/tasks/configure_swap.yml +++ b/tasks/configure_swap.yml @@ -1,5 +1,6 @@ --- - name: configure zram based swap (Debian) + when: ansible_os_family == "Debian" block: - name: install zram ansible.builtin.package: @@ -12,11 +13,11 @@ ALGO=lz4 PERCENT=50 notify: restart zramswap - when: ansible_os_family == "Debian" # RHEL part is based on https://www.techrepublic.com/article/how-to-enable-zram-rocky-linux/ # More docu on zram at https://www.kernel.org/doc/html/latest/admin-guide/blockdev/zram.html - name: configure zram based swap (RedHat) + when: ansible_os_family == "RedHat" block: - name: disable swapping first, otherwise zram will not work ansible.builtin.command: "swapoff -a" @@ -44,7 +45,7 @@ ansible.builtin.lineinfile: path: "/etc/udev/rules.d/99-zram.rules" create: true - line: "KERNEL==\"zram0\", ATTR{disksize}=\"{{ ( ansible_facts.memtotal_mb / 2 ) | round | int }}M\",TAG+=\"systemd\"" + line: "KERNEL==\"zram0\", ATTR{disksize}=\"{{ (ansible_facts.memtotal_mb / 2) | round | int }}M\",TAG+=\"systemd\"" mode: "0644" - name: find out if zram Kernel module has been loaded already ansible.builtin.command: "lsmod" @@ -58,7 +59,7 @@ register: "zram_devices" changed_when: false - name: setup zram device - ansible.builtin.command: "zramctl -a lzo -s {{ ( ansible_facts.memtotal_mb / 2 ) | round | int }}M /dev/zram0" + ansible.builtin.command: "zramctl -a lzo -s {{ (ansible_facts.memtotal_mb / 2) | round | int }}M /dev/zram0" changed_when: false - name: create SystemD unit directory ansible.builtin.file: @@ -71,7 +72,6 @@ dest: "/usr/local/lib/systemd/system/zramswap.service" mode: "0644" notify: restart zramswap - when: ansible_os_family == "RedHat" - name: configure zram based swap (common) block: diff --git a/tasks/install_packages.yml b/tasks/install_packages.yml index 1cf2749f52dead363b7ddb6a138a090265b032e0..435e2d51cb3393fc1efd067a8118f2767e4e5e4c 100644 --- a/tasks/install_packages.yml +++ b/tasks/install_packages.yml @@ -7,6 +7,7 @@ # Äquivalent von yum update - name: update packages (RedHat) + when: ansible_os_family == "RedHat" block: - name: yum update ansible.builtin.yum: @@ -16,7 +17,6 @@ - name: yum autoremove ansible.builtin.yum: autoremove: true - when: ansible_os_family == "RedHat" - name: uninstall packages ansible.builtin.apt: diff --git a/tasks/main.yml b/tasks/main.yml index fe6f7a79ee58d86bd5a1deb8b7ebd89ebbd9f6b5..bf4d439b40389b74258d5f696086bcc05b79aaeb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -14,134 +14,134 @@ ### PAKETINSTALLATIONEN ### # - name: Netzwerk konfigurieren -# import_tasks: configure-network.yml +# ansible.builtin.import_tasks: configure-network.yml # tags: [network,dns] # We don't test for idempotence because these tasks can never be idempotent. # They are meant to copy fresh Backups of the SSH keys every time they are run. - name: Server-SSH-Schlüssel sichern - import_tasks: backup_ssh_hostkeys.yml + ansible.builtin.import_tasks: "backup_ssh_hostkeys.yml" tags: [ssh, molecule-idempotence-notest] - name: SLUB-lokales Debian-Repository hinzufügen - import_tasks: configure_package_repositories.yml + ansible.builtin.import_tasks: "configure_package_repositories.yml" tags: [apt, yum, packages] - name: NTP-Client - import_tasks: migrate_ntpd_to_esxi_timesync.yml + ansible.builtin.import_tasks: "migrate_ntpd_to_esxi_timesync.yml" when: # implicit AND when passing a list - ansible_facts.virtualization_role == "guest" - ansible_facts.virtualization_type == "VMware" tags: [ntp, ntpd, time] - name: Systempakete installieren - import_tasks: install_packages.yml + ansible.builtin.import_tasks: "install_packages.yml" tags: [apt, yum, packages] - name: HotAdd-Scripte für VMware installieren - import_tasks: install_hotadd_scripts.yml + ansible.builtin.import_tasks: "install_hotadd_scripts.yml" tags: [hotadd] - name: Lzip-Tools installieren - import_tasks: install_lzip_tools.yml + ansible.builtin.import_tasks: "install_lzip_tools.yml" tags: [lzip, lziptools] ### KONFIGURATION ### - name: Bash (Prompt, Aliases etc.) konfigurieren - import_tasks: configure_bash.yml + ansible.builtin.import_tasks: "configure_bash.yml" tags: [bash] - name: Autoupdate konfigurieren - import_tasks: configure_autoupdate.yml + ansible.builtin.import_tasks: "configure_autoupdate.yml" tags: [apt, yum, packages] - name: Konfigurationsdateien einspielen - SSH-Login - import_tasks: configure_ssh_login.yml + ansible.builtin.import_tasks: "configure_ssh_login.yml" tags: [ssh, bash] - name: Konfigurationsdateien einspielen - HTOP - import_tasks: configure_htop.yml + ansible.builtin.import_tasks: "configure_htop.yml" tags: [htop] - name: tmux konfigurieren - import_tasks: configure_tmux.yml + ansible.builtin.import_tasks: "configure_tmux.yml" tags: [tmux] - name: logrotate konfigurieren - import_tasks: configure_logrotate.yml + ansible.builtin.import_tasks: "configure_logrotate.yml" tags: [log, logrotate] - name: motd Script einspielen - import_tasks: configure_motd.yml + ansible.builtin.import_tasks: "configure_motd.yml" tags: [motd] - name: Gruppen und Benutzer erzeugen - import_tasks: create_users_groups.yml + ansible.builtin.import_tasks: "create_users_groups.yml" tags: [users] - name: SSH-Keys verwalten - import_tasks: configure_ssh_keys.yml + ansible.builtin.import_tasks: "configure_ssh_keys.yml" tags: [users] - name: ungültige User und SSH-Keys entfernen - import_tasks: remove_users_keys.yml + ansible.builtin.import_tasks: "remove_users_keys.yml" tags: [ssh, users, cleanup] - name: Logging auf Syslog-Server einrichten - import_tasks: configure_syslog_server_logging.yml + ansible.builtin.import_tasks: "configure_syslog_server_logging.yml" tags: [log, syslog] - name: persistentes Journalctl-Logging einrichten - import_tasks: configure_persistent_journald_logging.yml + ansible.builtin.import_tasks: "configure_persistent_journald_logging.yml" tags: [log] - name: Needrestart installieren - import_tasks: install_needrestart.yml + ansible.builtin.import_tasks: "install_needrestart.yml" when: ansible_distribution == "Debian" tags: [apt, needrestart] - name: Check_MK-Plugins installieren - import_tasks: install_checkmk_plugins.yml + ansible.builtin.import_tasks: "install_checkmk_plugins.yml" tags: [monitoring] - name: root-Shell einrichten - import_tasks: configure_root_shell.yml + ansible.builtin.import_tasks: "configure_root_shell.yml" tags: [bash, root, shell, color] - name: root-Shell einrichten - import_tasks: configure_sudoers.yml + ansible.builtin.import_tasks: "configure_sudoers.yml" tags: [sudo] - name: Configure swap - import_tasks: configure_swap.yml + ansible.builtin.import_tasks: "configure_swap.yml" tags: [swap, vm] - name: sar konfigurieren - import_tasks: configure_sar.yml + ansible.builtin.import_tasks: "configure_sar.yml" tags: [sar, sysstat] - name: Exim konfigurieren - import_tasks: configure_exim.yml + ansible.builtin.import_tasks: "configure_exim.yml" when: ansible_os_family == "Debian" tags: [exim, mail] - name: Postfix konfigurieren - import_tasks: configure_postfix.yml + ansible.builtin.import_tasks: "configure_postfix.yml" when: ansible_os_family == "RedHat" tags: [postfix, mail] # - name: Glances-Server abschalten -# import_tasks: configure_glances.yml +# ansible.builtin.import_tasks: "configure_glances.yml" # when: ansible_os_family != "RedHat" # RHEL 7 still runs Glances 2.5, which doesn't come with the glances.service SystemD unit # tags: [glances] ### CGROUP FÜR CHECK_MK KONFIGURIEREN ### # - name: include cgroup CMK config -# import_tasks: cgroup_check_mk.yml +# ansible.builtin.import_tasks: "cgroup_check_mk.yml" # tags: [always] - name: NTP konfigurieren - import_tasks: configure_ntp.yml + ansible.builtin.import_tasks: "configure_ntp.yml" tags: [ntp] - name: Configure Network