diff --git a/handlers/main.yml b/handlers/main.yml
index 7265ba6f65c4f461779249bf68b85d19b6b40af0..e975c979b522f45ec0d0c2d5ff1980c8f3c97e4e 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -39,18 +39,18 @@
- name: restart exim
ansible.builtin.systemd:
name: "exim4"
- state: restarted
+ state: reloaded
enabled: true
- name: restart postfix
ansible.builtin.service:
name: "postfix"
- state: restarted
+ state: reloaded
- name: restart sshd
ansible.builtin.systemd:
name: "sshd"
- state: restarted
+ state: reloaded
- name: reload journald configuration
ansible.builtin.systemd:
@@ -60,8 +60,9 @@
- name: restart logrotate.service
ansible.builtin.systemd:
name: "logrotate.service"
- state: restarted
+ state: reloaded
when: ansible_os_family == "Debian"
+ changed_when: false
- name: udev-Regel bekannt machen
ansible.builtin.command: "udevadm control --reload"
diff --git a/tasks/configure_glances.yml b/tasks/configure_glances.yml
index 971b7ce72230887456a63c20f3bb76c5b2dc70e2..b9d1ad34b850ff7b5a6690849a8115f0a87c064a 100644
--- a/tasks/configure_glances.yml
+++ b/tasks/configure_glances.yml
@@ -1,7 +1,27 @@
---
+- name: find out if Glances Service is enabled
+ ansible.builtin.command: systemctl is-enabled glances.service
+ register: glances_enabled
+ changed_when: false
+ failed_when:
+ - glances_enabled.stdout != "enabled"
+ - glances_enabled.stdout != "disabled"
+
+# this is idempotent
- name: stop Glances (web-)server
ansible.builtin.service:
- name: "glances"
+ name: "glances.service"
state: stopped
+ when:
+ - ansible_os_family == "Debian"
+ - glances_enabled.stdout != "disabled"
+
+# this is NOT idempotent, so it needs the "changed: false" stanza
+- name: disable Glances (web-)server
+ ansible.builtin.service:
+ name: "glances.service"
enabled: false
- when: ansible_os_family == "Debian"
+ when:
+ - ansible_os_family == "Debian"
+ - glances_enabled.stdout != "disabled"
+ changed_when: false
diff --git a/tasks/configure_logrotate.yml b/tasks/configure_logrotate.yml
index e7ef7924064976861fb182bb4100922d04fa1637..07bd4b97a03c857f542b24c802ac3008750dabd7 100644
--- a/tasks/configure_logrotate.yml
+++ b/tasks/configure_logrotate.yml
@@ -1,4 +1,5 @@
---
+# copy module modifies parent directory permissions, when file or directory is copied with owner and group different than root. It is also not idempotent and changes on subsequent runs.
- name: rollout default logrotate config
ansible.builtin.copy:
src: "etc/logrotate.conf"
@@ -7,6 +8,7 @@
group: "root"
mode: "0644"
notify: restart logrotate.service
+ tags: [molecule-idempotence-notest]
- name: set custom compression algorithm
ansible.builtin.blockinfile:
diff --git a/tasks/configure_ntp.yml b/tasks/configure_ntp.yml
index 7714c615d874833ef4c8bec42a0383cd6e2b0802..a9b6294d82ff25f2886c3d0654dd7b6faaba3ee4 100644
--- a/tasks/configure_ntp.yml
+++ b/tasks/configure_ntp.yml
@@ -1,4 +1,5 @@
---
+# copy module modifies parent directory permissions, when file or directory is copied with owner and group different than root. It is also not idempotent and changes on subsequent runs.
- name: configure NTP
ansible.builtin.copy:
src: "etc/ntp.conf"
@@ -6,3 +7,4 @@
owner: "root"
group: "root"
mode: "0644"
+ tags: [molecule-idempotence-notest]
diff --git a/tasks/configure_persistent_journald_logging.yml b/tasks/configure_persistent_journald_logging.yml
index e9e567e89c7690c47d5268f242603cf8f4676e74..383367cc2892ac2ce425ff22439b53da6f8df61e 100644
--- a/tasks/configure_persistent_journald_logging.yml
+++ b/tasks/configure_persistent_journald_logging.yml
@@ -1,47 +1,26 @@
---
-# enable persistent systemd journalctl logging
-# Documentation: zless /usr/share/doc/systemd/README.Debian.gz
-- name: enable persistent systemd journalctl logging
- block:
- - name: create log directory
- ansible.builtin.file:
- path: "/var/log/journal"
- state: directory
- mode: "0644"
- owner: "root"
- group: "systemd-journal"
+# Documentation: https://www.freedesktop.org/software/systemd/man/journald.conf.html
+- name: configure journald
+ ansible.builtin.blockinfile:
+ path: "/etc/systemd/journald.conf.d/persistence.conf"
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ create: "yes"
+ state: present
+ block: |
+ # If "persistent", data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable.
+ Storage=persistent
- - name: find out if journald is already logging to a persistent location
- ansible.builtin.shell: "systemd-tmpfiles --cat-config | grep '/var/log/journal'"
- register: jd_persist
- changed_when: false
+ # If enabled (the default), data objects that shall be stored in the journal and are larger than the default threshold of 512 bytes are compressed before they are written to the file system.
+ Compress=true
- - name: link directory name to systemd
- ansible.builtin.command: systemd-tmpfiles --create --prefix /var/log/journal
- when: jd_persist.rc == 0
+ # Controls how much disk space the journal may use up at most. (default: 10%)
+ SystemMaxUse=1G
- # Documentation: https://www.freedesktop.org/software/systemd/man/journald.conf.html
- - name: configure journald
- ansible.builtin.blockinfile:
- path: "/etc/systemd/journald.conf.d/persistence.conf"
- owner: "root"
- group: "root"
- mode: "0644"
- create: "yes"
- state: present
- block: |
- # If "persistent", data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable.
- Storage=persistent
-
- # If enabled (the default), data objects that shall be stored in the journal and are larger than the default threshold of 512 bytes are compressed before they are written to the file system.
- Compress=true
-
- # Controls how much disk space the journal may use up at most. (default: 10%)
- SystemMaxUse=1G
-
- # Controls how much disk space systemd-journald shall leave free for other uses. (default: 15%)
- # THIS DOES NOT WORK, HOWEVER: SystemKeepFree=15%
- SystemKeepFree=350M
- notify:
- - reload journald configuration
+ # Controls how much disk space systemd-journald shall leave free for other uses. (default: 15%)
+ # THIS DOES NOT WORK, HOWEVER: SystemKeepFree=15%
+ SystemKeepFree=350M
+ notify:
+ - reload journald configuration
when: ansible_facts.service_mgr == "systemd"
diff --git a/tasks/configure_swap.yml b/tasks/configure_swap.yml
index 6f4cbd198e909b66de98237797aab510f708c815..3a6d08872023c1e673e4b38a7fc52f69a9924b31 100644
--- a/tasks/configure_swap.yml
+++ b/tasks/configure_swap.yml
@@ -1,12 +1,23 @@
---
+- name: check if swap is active
+ ansible.builtin.command: swapon -s
+ register: swap_active
+ changed_when: false
+
# https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#testing-strings
- name: switch off swap (immediate result for running server, not reboot persistent)
- ansible.builtin.command: swapoff -a
- when: ansible_hostname is not search("validate")
+ ansible.builtin.command: swapoff -va
+ when:
+ - ansible_hostname is not search("validate")
+ - swap_active.stdout == ""
+ register: disable_swap
+ changed_when: disable_swap.stdout not in "swapoff LABEL=swap"
- name: switch off swap (no result for running server, reboot persistent)
ansible.posix.mount:
path: "none"
fstype: "swap"
state: "absent"
- when: ansible_hostname is not search("validate")
+ when:
+ - ansible_hostname is not search("validate")
+ - swap_active.stdout == ""
diff --git a/tasks/main.yml b/tasks/main.yml
index 69527d3f128ffd5570f605339e1323e479dc65a8..ada2ad387cb8d081317800703e74ce1e56d7c196 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -17,9 +17,11 @@
# import_tasks: configure-network.yml
# tags: [network,dns]
+# We don't test for idempotence because these tasks can never be idempotent.
+# They are meant to copy fresh Backups of the SSH keys every time they are run.
- name: Server-SSH-Schlüssel sichern
import_tasks: backup_ssh_hostkeys.yml
- tags: [ssh]
+ tags: [ssh, molecule-idempotence-notest]
- name: SLUB-lokales Debian-Repository hinzufügen
import_tasks: configure_package_repositories.yml
@@ -147,6 +149,7 @@
when: ansible_os_family == "RedHat"
tags: [ntp]
+# there's no way to get this task to become idempotent, so we have to skip the test
- name: Flush handlers am Ende der Rolle
ansible.builtin.meta: flush_handlers
- tags: [always]
+ tags: [always, molecule-idempotence-notest]