- Use assertions in tasks files.

- Use Ansible module to check the dhparams file. - Updated TODO list.

- Use assertions in tasks files.
33f6d695 · nimrod · 2b3232f2 · 33f6d695 · 33f6d695 · 33f6d695
Commit 33f6d695 authored 9 years ago by nimrod
--- a/README.rst
+++ b/README.rst
@@ -73,8 +73,19 @@ at: https://www.shore.co.il/cgit/.
 TODO
 ----
- Implement add_repo, add_tls_cert, debian_backports, collectd_agent, init (with
+- Implement:
-  Ansible module), ldap_login, mail_forwarding, ntp, ssh_ca, syslog_forwarding.
+  - add_tls_cert (Debian works, OpenBSD has no mechannism).
+  - debian_backports (add Ubuntu, priority support).
+  - collectd_agent.
+  - init.
+  - ldap_login (with pam_mkhomedir).
+  - ntp.
+  - mail_forward (OpenBSD support?).
+  - ssh_ca.
+  - syslog_forwarding.
+- Update `tasks/main.yml` to reflect recent assert changes.
 - Test.
 - Document.
- ldap-login should also enable mkhomedir.
+- Create a module to add a TLS certificate to store for both Debian-based and
+  OpenBSD.
+- Create a module to detect the init system.
--- a/tasks/add_repo.yml
+++ b/tasks/add_repo.yml
+---
+- name: Assert
+  assert:
+    that:
+    - "ansible_pkg_mgr == 'apt'"
+    - "extra_repos is defined"
+- name: Add additional apt repository keys
+  with_items: extra_repos
+  when: item.key_url is defined or item.key_data is defined
+  apt_key:
+    url: '{{ item.key_url|default(omit) }}'
+    data: '{{ item.key_data|default(omit) }}'
+    state: present
+- name: Add additional apt repository
+  with_items: extra_repos
+  apt_repository:
+    repo: '{{ item.repo }}'
+    state: present
+    update_cache: yes
--- a/tasks/add_tls_cert.yml
+++ b/tasks/add_tls_cert.yml
 ---
+- name: Assert
+  assert:
+    that:
+    - "ansible_os_family in [ 'Debian' ]"
+    - "extra_tls_certs is defined"
 - name: apt install CA certificates
  when: ansible_os_family == 'Debian'
  apt:

--- a/tasks/backports.yml
+++ b/tasks/backports.yml
 ---
+- name: Assert
+  assert:
+    that: ansible_distribution == 'Debian'
 - name: Add backports repositories
  with_items:
    - deb
@@ -12,9 +17,7 @@
  when: backports_priority is defined
  template:
    src: backports.j2
-    dest: //etc/apt/preferences.d/backports
+    dest: /etc/apt/preferences.d/backports
    owner: root
    group: root
    mode: '0644'
-# TODO: Add support for Ubuntu, gather enabled archives (non-free, multiverse).
--- a/tasks/collectd_agent.yml
+++ b/tasks/collectd_agent.yml
 ---
+- name: Assert
+  assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
 - name: apt install Collectd
  when: ansible_pkg_mgr == 'apt'
  apt:

--- a/tasks/init.yml
+++ b/tasks/init.yml
 ---
+- name: Assert
+  assert:
+    that: ansible_os_family == 'Debian'
 - name: Find which package provided init
  command: /usr/bin/dpkg -S /sbin/init
  register: common_which_init

--- a/tasks/ldap_login.yml
+++ b/tasks/ldap_login.yml
+---
+- name: Assert
+  assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
--- a/tasks/mail_forward.yml
+++ b/tasks/mail_forward.yml
 ---
+- name: Assert
+  assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
 - name: apt install exim
+  when: ansible_pkg_mgr == 'apt'
  apt:
    name: exim4
    state: present

--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
 # tasks file for ansible_common
+- name: Assert
+  assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
 - include: init.yml
  when: ansible_os_family == 'Debian'
 - include: backports.yml
  when: backports|default(False) and ansible_distribution == 'Debian'
- include: add_repo.yml repo='{{ item }}'
+- include: add_repo.yml
-  when: ansible_distribution == 'Debian'
+  when: ansible_distribution == 'Debian' and extra_repos is defined
 - include: ufw.yml
  when: ufw|default(True) and ansible_os_family == 'Debian'

--- a/tasks/ntp.yml
+++ b/tasks/ntp.yml
+---
+- name: Assert
+  assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
--- a/tasks/ssh_ca.yml
+++ b/tasks/ssh_ca.yml
+---
+- name: Assert
+  assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
--- a/tasks/sudo.yml
+++ b/tasks/sudo.yml
 ---
+- name: Assert
+  assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
 - name: Add sudo group
  group:
    name: sudo

--- a/tasks/syslog_forward.yml
+++ b/tasks/syslog_forward.yml
 ---
+- name: Assert
+  assert:
+    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
 - name: apt install rsyslog
  when: ansible_os_family == 'Debian'
  apt:

--- a/tasks/tls_cert.yml
+++ b/tasks/tls_cert.yml
+---
+- name: Assert
+  assert:
+    that: ansible_os_family in [ 'Debian' ]
 - name: apt install TLS CA certs
  apt:
    name: '{{ item }}'
@@ -42,10 +48,11 @@
  when: tls_copy.changed
 - name: Check if dhparams exists and its length
-  changed_when: False
+  ignore_errors: yes
-  script: dhparams.sh
+  dhparams:
-  register: dhparams
+    path: /etc/ssl/dhparams.pem
+  register: tls_dhparams
- name: Generate dhparams
+- name: Generate dhparams (this will take a while)
-  when: dhparams.stdout|int < 2048
+  when: tls_dhparams.bits < 2048
  command: /usr/bin/openssl dhparam -out /etc/ssl/dhparams.pem 2048
--- a/tasks/ufw.yml
+++ b/tasks/ufw.yml
 ---
+- name: Assert
+  assert:
+    that: ansible_pkg_mgr == 'apt'
 - name: apt install ufw
  apt:
    name: ufw

--- a/tasks/unattended_upgrades.yml
+++ b/tasks/unattended_upgrades.yml
 ---
+- name: Assert
+  assert:
+    that: ansible_pkg_mgr == 'apt'
 - name: apt install unattended-upgrades
  apt:
    name: unattended-upgrades