diff --git a/handlers/main.yml b/handlers/main.yml
index 0f715641790daf5554c32ec00606fdbd7ec1cce5..0ddcfd79da37ac9039b5a5c4fa274e049b62468a 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,5 +1,6 @@
---
- name: save iptables rules (Debian)
+ when: ansible_os_family == "Debian"
block:
- name: Ordner für iptables-Config erstellen
ansible.builtin.file:
@@ -18,9 +19,9 @@
- name: save iptables rules
ansible.builtin.command: 'netfilter-persistent save' # noqa no-changed-when
listen: "save iptables rules"
- when: ansible_os_family == "Debian"
- name: save iptables rules (RedHat)
+ when: ansible_os_family == "RedHat"
block:
- name: make sure iptables config file exists
ansible.builtin.file:
@@ -34,7 +35,6 @@
- name: save rules
ansible.builtin.command: /usr/sbin/iptables-save # noqa no-changed-when
listen: "save iptables rules"
- when: ansible_os_family == "RedHat"
- name: restart exim
ansible.builtin.systemd:
diff --git a/meta/main.yml b/meta/main.yml
index f47f99bdd7ad9e12fbf679cdcd1544d8888d8cf5..9a8cd50b1a28ca8dd6073ff4403a9b5ec8a84f84 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,5 +1,7 @@
---
galaxy_info:
+ role_name: "ansible_lza_install_common"
+ namespace: "slub"
author: Jörg Sachse
company: SLUB Dresden
description: role to deploy a base install of Debian for use in the SLUBarchiv digital preservation repository
diff --git a/molecule/resources/playbooks/verify.yml b/molecule/resources/playbooks/verify.yml
index e707420ab5c87edfa59c7805ce4534ff1b387177..a5cfa75e4c765f52891877bfca5f823b69a2c23b 100644
--- a/molecule/resources/playbooks/verify.yml
+++ b/molecule/resources/playbooks/verify.yml
@@ -5,6 +5,6 @@
hosts: all
gather_facts: false
tasks:
- - name: Example assertion
- ansible.builtin.assert:
- that: true
+ - name: Example assertion
+ ansible.builtin.assert:
+ that: true
diff --git a/site.yml b/site.yml
index a461d4a962aa1d651cb9960d1ad45f8228fd0ea3..c3c91c9915704ada8ae6aba3a0bfed32a8defac2 100644
--- a/site.yml
+++ b/site.yml
@@ -1,8 +1,9 @@
---
-- hosts: "*"
+- name: "install generic base server"
+ hosts: "*"
pre_tasks:
- name: Verify that the installed version of Ansible meets this playbook's version requirements.
- assert:
+ ansible.builtin.assert:
that: "ansible_version.full is version_compare('2.2', '>=')"
msg: >
"You must update Ansible to at least 2.2 to use this playbook."
@@ -24,4 +25,4 @@
strategy: linear
roles:
- - { role: ansible_lza_install_common, become: true }
+ - { role: "ansible_lza_install_common", become: true }
diff --git a/tasks/configure_autoupdate.yml b/tasks/configure_autoupdate.yml
index 33877ce591607f6e9f6e439af21155095edaf739..caf98859009abc3c9d66a0317b26bcd690c1d14a 100644
--- a/tasks/configure_autoupdate.yml
+++ b/tasks/configure_autoupdate.yml
@@ -1,5 +1,6 @@
---
- name: remove apt-cron autoupdate (Debian)
+ when: ansible_os_family == "Debian"
block:
- name: Uninstall autoupdate packages (Debian)
ansible.builtin.apt:
@@ -13,11 +14,11 @@
- "/etc/cron-apt/action.d/3-download"
- "/etc/cron-apt/config"
- "/etc/cron.d/cron-apt"
- when: ansible_os_family == "Debian"
# unattended-upgrades is the default in Debian 11 and new GUBS installations
# anyway, so we use it instead of cron-apt.
- name: Install & configure unattended-upgrades (Debian/Ubuntu)
+ when: ansible_os_family == "Debian"
block:
- name: install unattended-upgrades
ansible.builtin.apt:
@@ -49,10 +50,10 @@
ansible.builtin.file:
path: "/etc/apt/apt.conf.d/51only-security-upgrades"
state: absent
- when: ansible_os_family == "Debian"
# based on: https://access.redhat.com/solutions/2823901
- name: Install & configurate autoupdate (RedHat)
+ when: ansible_os_family == "RedHat"
block:
- name: include vars yum-cron.yml
ansible.builtin.include_vars: "yum-cron.yml"
@@ -70,4 +71,3 @@
owner: "root"
group: "root"
mode: "0644"
- when: ansible_os_family == "RedHat"
diff --git a/tasks/configure_package_repositories.yml b/tasks/configure_package_repositories.yml
index 080841b9d7681f9ecd145203a4bff34020f29892..f13eb07a4be99bfa0a5ce244ceb869f0c3d27cef 100644
--- a/tasks/configure_package_repositories.yml
+++ b/tasks/configure_package_repositories.yml
@@ -1,5 +1,6 @@
---
- name: configure Debian repositories
+ when: "ansible_facts['distribution'] == 'Debian'"
block:
- name: öffentlichen Schlüssel hinzufügen (sonst muss bei jeder Installation eine Warnmeldung bestätigt werden)
ansible.builtin.apt_key:
@@ -12,7 +13,6 @@
state: present
update_cache: "yes"
mode: "0644"
- when: "ansible_facts['distribution'] == 'Debian'"
- name: add custom repositories
ansible.builtin.yum_repository:
diff --git a/tasks/configure_ssh_keys.yml b/tasks/configure_ssh_keys.yml
index b3a91bf63134f82014dec6b510d6b8a8f6aadc23..4e39d1587669751ec5dcf5ae1da42894f39fb230 100644
--- a/tasks/configure_ssh_keys.yml
+++ b/tasks/configure_ssh_keys.yml
@@ -1,6 +1,6 @@
---
- name: gültige SSH-Keys für Public-Key Authentication einspielen (HUMAN_USERS)
- ansible.builtin.authorized_key:
+ ansible.posix.authorized_key:
user: "{{ item.key }}"
comment: "{{ item.value.ssh_comment_current | default('') }}"
key: "{{ item.value.ssh_key_current | default('') }}"
@@ -9,7 +9,7 @@
when: item.value.state != "absent"
- name: gültige SSH-Keys für Public-Key Authentication einspielen (ROBOT_USERS)
- ansible.builtin.authorized_key:
+ ansible.posix.authorized_key:
user: "{{ item.key }}"
comment: "{{ item.value.ssh_comment_current | default('') }}"
key: "{{ item.value.ssh_key_current | default('') }}"
@@ -18,7 +18,7 @@
when: item.value.state != "absent"
- name: alle gültigen SSH-Keys zum Installationsuser hinzufügen
- ansible.builtin.authorized_key:
+ ansible.posix.authorized_key:
user: "{{ vault_install_username }}"
comment: "{{ item.value.ssh_comment_current | default('') }}"
key: "{{ item.value.ssh_key_current | default('') }}"
diff --git a/tasks/configure_swap.yml b/tasks/configure_swap.yml
index 2862af15d9b7acb26811c89a82894ae1e301f662..3ee20f7d3246817a02ed85595ed378589b5c741a 100644
--- a/tasks/configure_swap.yml
+++ b/tasks/configure_swap.yml
@@ -1,5 +1,6 @@
---
- name: configure zram based swap (Debian)
+ when: ansible_os_family == "Debian"
block:
- name: install zram
ansible.builtin.package:
@@ -12,11 +13,11 @@
ALGO=lz4
PERCENT=50
notify: restart zramswap
- when: ansible_os_family == "Debian"
# RHEL part is based on https://www.techrepublic.com/article/how-to-enable-zram-rocky-linux/
# More docu on zram at https://www.kernel.org/doc/html/latest/admin-guide/blockdev/zram.html
- name: configure zram based swap (RedHat)
+ when: ansible_os_family == "RedHat"
block:
- name: disable swapping first, otherwise zram will not work
ansible.builtin.command: "swapoff -a"
@@ -44,7 +45,7 @@
ansible.builtin.lineinfile:
path: "/etc/udev/rules.d/99-zram.rules"
create: true
- line: "KERNEL==\"zram0\", ATTR{disksize}=\"{{ ( ansible_facts.memtotal_mb / 2 ) | round | int }}M\",TAG+=\"systemd\""
+ line: "KERNEL==\"zram0\", ATTR{disksize}=\"{{ (ansible_facts.memtotal_mb / 2) | round | int }}M\",TAG+=\"systemd\""
mode: "0644"
- name: find out if zram Kernel module has been loaded already
ansible.builtin.command: "lsmod"
@@ -58,7 +59,7 @@
register: "zram_devices"
changed_when: false
- name: setup zram device
- ansible.builtin.command: "zramctl -a lzo -s {{ ( ansible_facts.memtotal_mb / 2 ) | round | int }}M /dev/zram0"
+ ansible.builtin.command: "zramctl -a lzo -s {{ (ansible_facts.memtotal_mb / 2) | round | int }}M /dev/zram0"
changed_when: false
- name: create SystemD unit directory
ansible.builtin.file:
@@ -71,7 +72,6 @@
dest: "/usr/local/lib/systemd/system/zramswap.service"
mode: "0644"
notify: restart zramswap
- when: ansible_os_family == "RedHat"
- name: configure zram based swap (common)
block:
diff --git a/tasks/install_packages.yml b/tasks/install_packages.yml
index 1cf2749f52dead363b7ddb6a138a090265b032e0..435e2d51cb3393fc1efd067a8118f2767e4e5e4c 100644
--- a/tasks/install_packages.yml
+++ b/tasks/install_packages.yml
@@ -7,6 +7,7 @@
# Äquivalent von yum update
- name: update packages (RedHat)
+ when: ansible_os_family == "RedHat"
block:
- name: yum update
ansible.builtin.yum:
@@ -16,7 +17,6 @@
- name: yum autoremove
ansible.builtin.yum:
autoremove: true
- when: ansible_os_family == "RedHat"
- name: uninstall packages
ansible.builtin.apt:
diff --git a/tasks/main.yml b/tasks/main.yml
index fe6f7a79ee58d86bd5a1deb8b7ebd89ebbd9f6b5..bf4d439b40389b74258d5f696086bcc05b79aaeb 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -14,134 +14,134 @@
### PAKETINSTALLATIONEN ###
# - name: Netzwerk konfigurieren
-# import_tasks: configure-network.yml
+# ansible.builtin.import_tasks: configure-network.yml
# tags: [network,dns]
# We don't test for idempotence because these tasks can never be idempotent.
# They are meant to copy fresh Backups of the SSH keys every time they are run.
- name: Server-SSH-Schlüssel sichern
- import_tasks: backup_ssh_hostkeys.yml
+ ansible.builtin.import_tasks: "backup_ssh_hostkeys.yml"
tags: [ssh, molecule-idempotence-notest]
- name: SLUB-lokales Debian-Repository hinzufügen
- import_tasks: configure_package_repositories.yml
+ ansible.builtin.import_tasks: "configure_package_repositories.yml"
tags: [apt, yum, packages]
- name: NTP-Client
- import_tasks: migrate_ntpd_to_esxi_timesync.yml
+ ansible.builtin.import_tasks: "migrate_ntpd_to_esxi_timesync.yml"
when: # implicit AND when passing a list
- ansible_facts.virtualization_role == "guest"
- ansible_facts.virtualization_type == "VMware"
tags: [ntp, ntpd, time]
- name: Systempakete installieren
- import_tasks: install_packages.yml
+ ansible.builtin.import_tasks: "install_packages.yml"
tags: [apt, yum, packages]
- name: HotAdd-Scripte für VMware installieren
- import_tasks: install_hotadd_scripts.yml
+ ansible.builtin.import_tasks: "install_hotadd_scripts.yml"
tags: [hotadd]
- name: Lzip-Tools installieren
- import_tasks: install_lzip_tools.yml
+ ansible.builtin.import_tasks: "install_lzip_tools.yml"
tags: [lzip, lziptools]
### KONFIGURATION ###
- name: Bash (Prompt, Aliases etc.) konfigurieren
- import_tasks: configure_bash.yml
+ ansible.builtin.import_tasks: "configure_bash.yml"
tags: [bash]
- name: Autoupdate konfigurieren
- import_tasks: configure_autoupdate.yml
+ ansible.builtin.import_tasks: "configure_autoupdate.yml"
tags: [apt, yum, packages]
- name: Konfigurationsdateien einspielen - SSH-Login
- import_tasks: configure_ssh_login.yml
+ ansible.builtin.import_tasks: "configure_ssh_login.yml"
tags: [ssh, bash]
- name: Konfigurationsdateien einspielen - HTOP
- import_tasks: configure_htop.yml
+ ansible.builtin.import_tasks: "configure_htop.yml"
tags: [htop]
- name: tmux konfigurieren
- import_tasks: configure_tmux.yml
+ ansible.builtin.import_tasks: "configure_tmux.yml"
tags: [tmux]
- name: logrotate konfigurieren
- import_tasks: configure_logrotate.yml
+ ansible.builtin.import_tasks: "configure_logrotate.yml"
tags: [log, logrotate]
- name: motd Script einspielen
- import_tasks: configure_motd.yml
+ ansible.builtin.import_tasks: "configure_motd.yml"
tags: [motd]
- name: Gruppen und Benutzer erzeugen
- import_tasks: create_users_groups.yml
+ ansible.builtin.import_tasks: "create_users_groups.yml"
tags: [users]
- name: SSH-Keys verwalten
- import_tasks: configure_ssh_keys.yml
+ ansible.builtin.import_tasks: "configure_ssh_keys.yml"
tags: [users]
- name: ungültige User und SSH-Keys entfernen
- import_tasks: remove_users_keys.yml
+ ansible.builtin.import_tasks: "remove_users_keys.yml"
tags: [ssh, users, cleanup]
- name: Logging auf Syslog-Server einrichten
- import_tasks: configure_syslog_server_logging.yml
+ ansible.builtin.import_tasks: "configure_syslog_server_logging.yml"
tags: [log, syslog]
- name: persistentes Journalctl-Logging einrichten
- import_tasks: configure_persistent_journald_logging.yml
+ ansible.builtin.import_tasks: "configure_persistent_journald_logging.yml"
tags: [log]
- name: Needrestart installieren
- import_tasks: install_needrestart.yml
+ ansible.builtin.import_tasks: "install_needrestart.yml"
when: ansible_distribution == "Debian"
tags: [apt, needrestart]
- name: Check_MK-Plugins installieren
- import_tasks: install_checkmk_plugins.yml
+ ansible.builtin.import_tasks: "install_checkmk_plugins.yml"
tags: [monitoring]
- name: root-Shell einrichten
- import_tasks: configure_root_shell.yml
+ ansible.builtin.import_tasks: "configure_root_shell.yml"
tags: [bash, root, shell, color]
- name: root-Shell einrichten
- import_tasks: configure_sudoers.yml
+ ansible.builtin.import_tasks: "configure_sudoers.yml"
tags: [sudo]
- name: Configure swap
- import_tasks: configure_swap.yml
+ ansible.builtin.import_tasks: "configure_swap.yml"
tags: [swap, vm]
- name: sar konfigurieren
- import_tasks: configure_sar.yml
+ ansible.builtin.import_tasks: "configure_sar.yml"
tags: [sar, sysstat]
- name: Exim konfigurieren
- import_tasks: configure_exim.yml
+ ansible.builtin.import_tasks: "configure_exim.yml"
when: ansible_os_family == "Debian"
tags: [exim, mail]
- name: Postfix konfigurieren
- import_tasks: configure_postfix.yml
+ ansible.builtin.import_tasks: "configure_postfix.yml"
when: ansible_os_family == "RedHat"
tags: [postfix, mail]
# - name: Glances-Server abschalten
-# import_tasks: configure_glances.yml
+# ansible.builtin.import_tasks: "configure_glances.yml"
# when: ansible_os_family != "RedHat" # RHEL 7 still runs Glances 2.5, which doesn't come with the glances.service SystemD unit
# tags: [glances]
### CGROUP FÜR CHECK_MK KONFIGURIEREN ###
# - name: include cgroup CMK config
-# import_tasks: cgroup_check_mk.yml
+# ansible.builtin.import_tasks: "cgroup_check_mk.yml"
# tags: [always]
- name: NTP konfigurieren
- import_tasks: configure_ntp.yml
+ ansible.builtin.import_tasks: "configure_ntp.yml"
tags: [ntp]
- name: Configure Network