From 33f6d695f6eae27e35aac0a40e053a27ba033fd8 Mon Sep 17 00:00:00 2001 From: Adar Nimrod Date: Tue, 1 Dec 2015 13:42:02 +0200 Subject: [PATCH] - Use assertions in tasks files. - Use Ansible module to check the dhparams file. - Updated TODO list. --- README.rst | 17 ++++++++++++++--- tasks/add_repo.yml | 22 ++++++++++++++++++++++ tasks/add_tls_cert.yml | 6 ++++++ tasks/backports.yml | 9 ++++++--- tasks/collectd_agent.yml | 4 ++++ tasks/init.yml | 5 +++++ tasks/ldap_login.yml | 5 +++++ tasks/mail_forward.yml | 6 ++++++ tasks/main.yml | 8 ++++++-- tasks/ntp.yml | 5 +++++ tasks/ssh_ca.yml | 5 +++++ tasks/sudo.yml | 5 +++++ tasks/syslog_forward.yml | 4 ++++ tasks/tls_cert.yml | 17 ++++++++++++----- tasks/ufw.yml | 5 +++++ tasks/unattended_upgrades.yml | 4 ++++ 16 files changed, 114 insertions(+), 13 deletions(-) diff --git a/README.rst b/README.rst index 81e2210..847e269 100644 --- a/README.rst +++ b/README.rst @@ -73,8 +73,19 @@ at: https://www.shore.co.il/cgit/. TODO ---- -- Implement add_repo, add_tls_cert, debian_backports, collectd_agent, init (with - Ansible module), ldap_login, mail_forwarding, ntp, ssh_ca, syslog_forwarding. +- Implement: + - add_tls_cert (Debian works, OpenBSD has no mechannism). + - debian_backports (add Ubuntu, priority support). + - collectd_agent. + - init. + - ldap_login (with pam_mkhomedir). + - ntp. + - mail_forward (OpenBSD support?). + - ssh_ca. + - syslog_forwarding. +- Update `tasks/main.yml` to reflect recent assert changes. - Test. - Document. -- ldap-login should also enable mkhomedir. +- Create a module to add a TLS certificate to store for both Debian-based and + OpenBSD. +- Create a module to detect the init system. diff --git a/tasks/add_repo.yml b/tasks/add_repo.yml index e69de29..1cfc760 100644 --- a/tasks/add_repo.yml +++ b/tasks/add_repo.yml @@ -0,0 +1,22 @@ +--- + +- name: Assert + assert: + that: + - "ansible_pkg_mgr == 'apt'" + - "extra_repos is defined" + +- name: Add additional apt repository keys + with_items: extra_repos + when: item.key_url is defined or item.key_data is defined + apt_key: + url: '{{ item.key_url|default(omit) }}' + data: '{{ item.key_data|default(omit) }}' + state: present + +- name: Add additional apt repository + with_items: extra_repos + apt_repository: + repo: '{{ item.repo }}' + state: present + update_cache: yes diff --git a/tasks/add_tls_cert.yml b/tasks/add_tls_cert.yml index cd8ac36..3ae3a12 100644 --- a/tasks/add_tls_cert.yml +++ b/tasks/add_tls_cert.yml @@ -1,5 +1,11 @@ --- +- name: Assert + assert: + that: + - "ansible_os_family in [ 'Debian' ]" + - "extra_tls_certs is defined" + - name: apt install CA certificates when: ansible_os_family == 'Debian' apt: diff --git a/tasks/backports.yml b/tasks/backports.yml index 9a37205..425a69b 100644 --- a/tasks/backports.yml +++ b/tasks/backports.yml @@ -1,4 +1,9 @@ --- + +- name: Assert + assert: + that: ansible_distribution == 'Debian' + - name: Add backports repositories with_items: - deb @@ -12,9 +17,7 @@ when: backports_priority is defined template: src: backports.j2 - dest: //etc/apt/preferences.d/backports + dest: /etc/apt/preferences.d/backports owner: root group: root mode: '0644' - -# TODO: Add support for Ubuntu, gather enabled archives (non-free, multiverse). diff --git a/tasks/collectd_agent.yml b/tasks/collectd_agent.yml index 805d587..790933e 100644 --- a/tasks/collectd_agent.yml +++ b/tasks/collectd_agent.yml @@ -1,5 +1,9 @@ --- +- name: Assert + assert: + that: ansible_os_family in [ 'Debian', 'OpenBSD' ] + - name: apt install Collectd when: ansible_pkg_mgr == 'apt' apt: diff --git a/tasks/init.yml b/tasks/init.yml index 86e6e66..d451d5a 100644 --- a/tasks/init.yml +++ b/tasks/init.yml @@ -1,4 +1,9 @@ --- + +- name: Assert + assert: + that: ansible_os_family == 'Debian' + - name: Find which package provided init command: /usr/bin/dpkg -S /sbin/init register: common_which_init diff --git a/tasks/ldap_login.yml b/tasks/ldap_login.yml index e69de29..e03b087 100644 --- a/tasks/ldap_login.yml +++ b/tasks/ldap_login.yml @@ -0,0 +1,5 @@ +--- + +- name: Assert + assert: + that: ansible_os_family in [ 'Debian', 'OpenBSD' ] diff --git a/tasks/mail_forward.yml b/tasks/mail_forward.yml index 75adb17..16910f3 100644 --- a/tasks/mail_forward.yml +++ b/tasks/mail_forward.yml @@ -1,5 +1,11 @@ --- + +- name: Assert + assert: + that: ansible_os_family in [ 'Debian', 'OpenBSD' ] + - name: apt install exim + when: ansible_pkg_mgr == 'apt' apt: name: exim4 state: present diff --git a/tasks/main.yml b/tasks/main.yml index 3bae11d..ef3fd95 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,14 +1,18 @@ --- # tasks file for ansible_common +- name: Assert + assert: + that: ansible_os_family in [ 'Debian', 'OpenBSD' ] + - include: init.yml when: ansible_os_family == 'Debian' - include: backports.yml when: backports|default(False) and ansible_distribution == 'Debian' -- include: add_repo.yml repo='{{ item }}' - when: ansible_distribution == 'Debian' +- include: add_repo.yml + when: ansible_distribution == 'Debian' and extra_repos is defined - include: ufw.yml when: ufw|default(True) and ansible_os_family == 'Debian' diff --git a/tasks/ntp.yml b/tasks/ntp.yml index e69de29..e03b087 100644 --- a/tasks/ntp.yml +++ b/tasks/ntp.yml @@ -0,0 +1,5 @@ +--- + +- name: Assert + assert: + that: ansible_os_family in [ 'Debian', 'OpenBSD' ] diff --git a/tasks/ssh_ca.yml b/tasks/ssh_ca.yml index e69de29..e03b087 100644 --- a/tasks/ssh_ca.yml +++ b/tasks/ssh_ca.yml @@ -0,0 +1,5 @@ +--- + +- name: Assert + assert: + that: ansible_os_family in [ 'Debian', 'OpenBSD' ] diff --git a/tasks/sudo.yml b/tasks/sudo.yml index b74ebfe..fe7dc90 100644 --- a/tasks/sudo.yml +++ b/tasks/sudo.yml @@ -1,4 +1,9 @@ --- + +- name: Assert + assert: + that: ansible_os_family in [ 'Debian', 'OpenBSD' ] + - name: Add sudo group group: name: sudo diff --git a/tasks/syslog_forward.yml b/tasks/syslog_forward.yml index 1d4b19a..2f3a0ec 100644 --- a/tasks/syslog_forward.yml +++ b/tasks/syslog_forward.yml @@ -1,5 +1,9 @@ --- +- name: Assert + assert: + that: ansible_os_family in [ 'Debian', 'OpenBSD' ] + - name: apt install rsyslog when: ansible_os_family == 'Debian' apt: diff --git a/tasks/tls_cert.yml b/tasks/tls_cert.yml index 022b2b7..e81471e 100644 --- a/tasks/tls_cert.yml +++ b/tasks/tls_cert.yml @@ -1,3 +1,9 @@ +--- + +- name: Assert + assert: + that: ansible_os_family in [ 'Debian' ] + - name: apt install TLS CA certs apt: name: '{{ item }}' @@ -42,10 +48,11 @@ when: tls_copy.changed - name: Check if dhparams exists and its length - changed_when: False - script: dhparams.sh - register: dhparams + ignore_errors: yes + dhparams: + path: /etc/ssl/dhparams.pem + register: tls_dhparams -- name: Generate dhparams - when: dhparams.stdout|int < 2048 +- name: Generate dhparams (this will take a while) + when: tls_dhparams.bits < 2048 command: /usr/bin/openssl dhparam -out /etc/ssl/dhparams.pem 2048 diff --git a/tasks/ufw.yml b/tasks/ufw.yml index 99f3af1..234bd2f 100644 --- a/tasks/ufw.yml +++ b/tasks/ufw.yml @@ -1,4 +1,9 @@ --- + +- name: Assert + assert: + that: ansible_pkg_mgr == 'apt' + - name: apt install ufw apt: name: ufw diff --git a/tasks/unattended_upgrades.yml b/tasks/unattended_upgrades.yml index 00fb8af..e4ff777 100644 --- a/tasks/unattended_upgrades.yml +++ b/tasks/unattended_upgrades.yml @@ -1,5 +1,9 @@ --- +- name: Assert + assert: + that: ansible_pkg_mgr == 'apt' + - name: apt install unattended-upgrades apt: name: unattended-upgrades -- GitLab