diff --git a/README.rst b/README.rst index d8bfe7d4a602edeec5c4a4323dd2a6dae50bfc36..f5035e5b0a2a62041eb1adbe94309f72b403123c 100644 --- a/README.rst +++ b/README.rst @@ -28,9 +28,6 @@ Role Variables collectd_riemann_server: collectd_collectd_server: collectd_statsd_server: - mail_root_alias: - ldap_login_server: - sudo: ntp: unattended_upgrades: tls_cert: # Filename of the TLS cert for that host. diff --git a/handlers/main.yml b/handlers/main.yml index 2d2db66c43252b65aafe61e5870193236f74e8f9..6f515dd39770254a2369026f1d7adc5eca7e5d99 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -14,11 +14,6 @@ name: syslogd state: restarted -- name: Restart ssh - service: - name: '{{ ssh_daemon[ansible_os_family] }}' - state: restarted - - name: Restart Collectd service: name: collectd @@ -33,8 +28,3 @@ service: name: systemd-timesyncd state: restarted - -- name: Restart stunnel - service: - name: '{{ stunnel_service[ansible_os_family] }}' - state: restarted diff --git a/tasks/ldap_login.yml b/tasks/ldap_login.yml deleted file mode 100644 index 30ec8cb0e9c1755cda98e8243d5a3e7ffeea6b35..0000000000000000000000000000000000000000 --- a/tasks/ldap_login.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Assert - assert: - that: ansible_os_family in [ 'Debian', 'OpenBSD' ] - -- name: apt install - when: ansible_pkg_mgr == 'apt' - apt: - name: bash - state: present - update_cache: yes - cache_valid_time: 3600 - -- name: pkg install - when: ansible_pkg_mgr == 'openbsd_pkg' - openbsd_pkg: - name: bash - state: present diff --git a/tasks/lock_root.yml b/tasks/lock_root.yml deleted file mode 100644 index 9ac64cc9cdc414b9850dc066eb31a9abc25190f1..0000000000000000000000000000000000000000 --- a/tasks/lock_root.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: Disable root account - user: - name: root - password: '*************' - register: lock_root - changed_when: not (lock_root.stderr is defined and 'no changes' in lock_root.stderr) - -- name: Disable root SSH login - lineinfile: - dest: /etc/ssh/sshd_config - line: 'PermitRootLogin no' - regexp: '^PermitRootLogin ' - notify: - - Restart ssh diff --git a/tasks/mail_forward.yml b/tasks/mail_forward.yml deleted file mode 100644 index 68e20cdfce4841d2e5d2a47aeb67a8bf65b9013f..0000000000000000000000000000000000000000 --- a/tasks/mail_forward.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -- name: Assert - assert: - that: ansible_os_family in [ 'Debian', 'OpenBSD' ] - -- name: apt install exim - when: ansible_pkg_mgr == 'apt' - apt: - name: exim4 - state: present - update_cache: yes - cache_valid_time: 3600 - -- name: Set root mail alias - lineinfile: - dest: '{{ aliases_file[ansible_os_family] }}' - line: 'root: {{ mail_root_alias }}' - regexp: '^root:' - register: root_alias - -- name: Update SMTPd database - when: ansible_os_family == 'OpenBSD' and root_alias.changed - command: /usr/sbin/makemap /etc/mail/aliases diff --git a/tasks/main.yml b/tasks/main.yml index ab40a3295b88c87f1dd931a63c17dd237f092233..d67586f4c783c5d8fb1c83ef93e8e37030fbc090 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,12 +1,6 @@ --- # tasks file for ansible_common -- include: openbsd_bootstrap.yml - when: openbsd_bootstrap is defined - -- setup: - when: openbsd_bootstrap is undefined - - name: Assert assert: that: ansible_os_family in [ 'Debian', 'OpenBSD' ] @@ -35,26 +29,11 @@ - include: collectd_agent.yml when: (collectd_graphite_server is defined or collectd_riemann_server is defined or collectd_collectd_server is defined or collectd_statsd_server is defined) and not common_role_finished is defined -- include: mail_forward.yml - when: mail_root_alias is defined and not common_role_finished is defined - -- include: ldap_login.yml - when: ldap_login_server is defined and not common_role_finished is defined - -- include: sudo.yml - when: sudo|default(True) and not common_role_finished is defined - - include: ntp.yml when: ntp|default(True) and not common_role_finished is defined - include: unattended_upgrades.yml when: unattended_upgrades|default(True) and ansible_os_family == 'Debian' and not common_role_finished is defined -- include: lock_root.yml - when: lock_root|default(True) and not common_role_finished is defined - -- include: stunnel.yml - when: stunnel|default(True) and not common_role_finished is defined - - set_fact: common_role_finished: True diff --git a/tasks/openbsd_bootstrap.yml b/tasks/openbsd_bootstrap.yml deleted file mode 100644 index 31ef049f0c9dc1657d05e3614e2edb88e55962ad..0000000000000000000000000000000000000000 --- a/tasks/openbsd_bootstrap.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# Bootstrap an OpenBSD machine to be able to run Ansible on it. - -- name: Install Python - raw: "PKG_PATH={{ openbsd_pkg_mirror }}/OpenBSD/$(uname -r)/packages/$(arch -s)/ /usr/sbin/pkg_add -I py-pip" - register: openbsd_pkg_add_python - changed_when: "'python' in openbsd_pkg_add_python.stdout" - -- name: Symlink python - raw: ln -s /usr/local/bin/python2.7 /usr/bin/python - register: symlink_python - changed_when: not 'File exists' in symlink_python.stdout_lines[0] - failed_when: symlink_python|failed and not 'File exists' in symlink_python.stdout_lines[0] - -- name: Gather facts - setup: - -- name: Configure pkg - lineinfile: - dest: /etc/pkg.conf - line: 'installpath = {{ openbsd_pkg_mirror }}/OpenBSD/{{ ansible_distribution_release }}/packages/{{ ansible_architecture }}/' - regexp: '^installpath =' - state: present - create: yes diff --git a/tasks/stunnel.yml b/tasks/stunnel.yml deleted file mode 100644 index c404d765e82a168eecfb7b9741a6dfcb2c7e5877..0000000000000000000000000000000000000000 --- a/tasks/stunnel.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -- assert: - that: ansible_os_family in [ 'Debian', 'OpenBSD' ] - -- name: apt install stunnel - when: ansible_pkg_mgr == 'apt' - apt: - name: stunnel4 - state: present - update_cache: yes - cache_valid_time: 3600 - -- name: pkg install stunnel - when: ansible_pkg_mgr == 'openbsd_pkg' - openbsd_pkg: - name: '{{ openbsd_stunnel_version[ansible_distribution_release] }}' - state: present - -- name: Configure stunnel - with_dict: - syslog: yes - key: '{{ tls_key_path }}' - cert: '{{ tls_cert_path }}' - CAfile: '{{ ca_store[ansible_os_family] }}' - ciphers: '!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1' - options: NO_SSLv2 - options: NO_SSLv3 - lineinfile: - dest: /etc/stunnel/stunnel.conf - line: '{{ item.key }} = {{ item.value }}' - regexp: '^{{ item.key }} =' - state: present - notify: - - Restart stunnel - -- name: Allow stunnel to access the TLS key - user: - name: '{{ stunnel_user[ansible_os_family] }}' - groups: ssl-cert - append: yes - state: present - notify: - - Restart stunnel diff --git a/tasks/sudo.yml b/tasks/sudo.yml deleted file mode 100644 index fe7dc906facf8af4678d46ac92806988509b67e6..0000000000000000000000000000000000000000 --- a/tasks/sudo.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: Assert - assert: - that: ansible_os_family in [ 'Debian', 'OpenBSD' ] - -- name: Add sudo group - group: - name: sudo - state: present - system: yes - -- name: Give sudo group sudo permissions - lineinfile: - dest: '{{ sudoers_location[ansible_os_family] }}' - line: '%sudo ALL=(ALL) NOPASSWD: ALL' - regexp: '^%sudo' diff --git a/vars/main.yml b/vars/main.yml index 5926400077439b89a1f1d4d33309b0b9d9e66d0d..c143af83bbf0247f65c192e173639add2dc89a81 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -15,51 +15,32 @@ backports_repo: precise: http://archive.ubuntu.com/ubuntu precise-backports main universe multiverse trusty: http://archive.ubuntu.com/ubuntu trusty-backports main universe multiverse -sudoers_location: - FreeBSD: '/usr/local/etc/sudoers' - Debian: '/etc/sudoers' - OpenBSD: '/etc/sudoers' - openbsd_collectd_version: '5.5': 'collectd-4.10.2p4' '5.6': 'collectd-4.10.2p4' '5.7': 'collectd-5.4.1p1' '5.8': 'collectd-5.5.0p1' -openbsd_stunnel_version: - '5.5': 'stunnel-4.56' - '5.6': 'stunnel-5.00p0' - '5.7': 'stunnel-5.06' - '5.8': 'stunnel-5.19' - -openbsd_pkg_mirror: http://www.mirrorservice.org/pub ca_store: OpenBSD: /etc/ssl/cert.pem Debian: /etc/ssl/certs/ca-certificates.crt + update_ca_certificates: OpenBSD: /usr/local/sbin/update-ca-certificates Debian: /usr/sbin/update-ca-certificates -ssh_daemon: - OpenBSD: sshd - Debian: ssh + cert_dir: OpenBSD: /etc/ssl/certs Debian: /usr/local/share/ca-certificates + ntpd_conf: OpenBSD: /etc/ntpd.conf Debian: /etc/ntp.conf + ntp_pool: OpenBSD: pool.ntp.org Debian: debian.pool.ntp.org + ntpd_service: OpenBSD: ntpd Debian: ntp -aliases_file: - OpenBSD: /etc/mail/aliases - Debian: /etc/aliases -stunnel_service: - OpenBSD: stunnel - Debian: stunnel4 -stunnel_user: - OpenBSD: _stunnel - Debian: stunnel4