From a7da5085be93d5b1c92ee440733e3c8a42bbd8a5 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Thu, 9 Jun 2016 11:01:17 +0300
Subject: [PATCH] - Removed stunnel, sudo, mail aliases, lock root and ldap
login from role. They're provided by dedicated roles.
---
README.rst | 3 ---
handlers/main.yml | 10 ---------
tasks/ldap_login.yml | 19 ----------------
tasks/lock_root.yml | 16 --------------
tasks/mail_forward.yml | 24 --------------------
tasks/main.yml | 21 ------------------
tasks/openbsd_bootstrap.yml | 24 --------------------
tasks/stunnel.yml | 44 -------------------------------------
tasks/sudo.yml | 17 --------------
vars/main.yml | 29 +++++-------------------
10 files changed, 5 insertions(+), 202 deletions(-)
delete mode 100644 tasks/ldap_login.yml
delete mode 100644 tasks/lock_root.yml
delete mode 100644 tasks/mail_forward.yml
delete mode 100644 tasks/openbsd_bootstrap.yml
delete mode 100644 tasks/stunnel.yml
delete mode 100644 tasks/sudo.yml
diff --git a/README.rst b/README.rst
index d8bfe7d..f5035e5 100644
--- a/README.rst
+++ b/README.rst
@@ -28,9 +28,6 @@ Role Variables
collectd_riemann_server:
collectd_collectd_server:
collectd_statsd_server:
- mail_root_alias:
- ldap_login_server:
- sudo:
ntp:
unattended_upgrades:
tls_cert: # Filename of the TLS cert for that host.
diff --git a/handlers/main.yml b/handlers/main.yml
index 2d2db66..6f515dd 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -14,11 +14,6 @@
name: syslogd
state: restarted
-- name: Restart ssh
- service:
- name: '{{ ssh_daemon[ansible_os_family] }}'
- state: restarted
-
- name: Restart Collectd
service:
name: collectd
@@ -33,8 +28,3 @@
service:
name: systemd-timesyncd
state: restarted
-
-- name: Restart stunnel
- service:
- name: '{{ stunnel_service[ansible_os_family] }}'
- state: restarted
diff --git a/tasks/ldap_login.yml b/tasks/ldap_login.yml
deleted file mode 100644
index 30ec8cb..0000000
--- a/tasks/ldap_login.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-
-- name: Assert
- assert:
- that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
-- name: apt install
- when: ansible_pkg_mgr == 'apt'
- apt:
- name: bash
- state: present
- update_cache: yes
- cache_valid_time: 3600
-
-- name: pkg install
- when: ansible_pkg_mgr == 'openbsd_pkg'
- openbsd_pkg:
- name: bash
- state: present
diff --git a/tasks/lock_root.yml b/tasks/lock_root.yml
deleted file mode 100644
index 9ac64cc..0000000
--- a/tasks/lock_root.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-
-- name: Disable root account
- user:
- name: root
- password: '*************'
- register: lock_root
- changed_when: not (lock_root.stderr is defined and 'no changes' in lock_root.stderr)
-
-- name: Disable root SSH login
- lineinfile:
- dest: /etc/ssh/sshd_config
- line: 'PermitRootLogin no'
- regexp: '^PermitRootLogin '
- notify:
- - Restart ssh
diff --git a/tasks/mail_forward.yml b/tasks/mail_forward.yml
deleted file mode 100644
index 68e20cd..0000000
--- a/tasks/mail_forward.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-
-- name: Assert
- assert:
- that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
-- name: apt install exim
- when: ansible_pkg_mgr == 'apt'
- apt:
- name: exim4
- state: present
- update_cache: yes
- cache_valid_time: 3600
-
-- name: Set root mail alias
- lineinfile:
- dest: '{{ aliases_file[ansible_os_family] }}'
- line: 'root: {{ mail_root_alias }}'
- regexp: '^root:'
- register: root_alias
-
-- name: Update SMTPd database
- when: ansible_os_family == 'OpenBSD' and root_alias.changed
- command: /usr/sbin/makemap /etc/mail/aliases
diff --git a/tasks/main.yml b/tasks/main.yml
index ab40a32..d67586f 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,12 +1,6 @@
---
# tasks file for ansible_common
-- include: openbsd_bootstrap.yml
- when: openbsd_bootstrap is defined
-
-- setup:
- when: openbsd_bootstrap is undefined
-
- name: Assert
assert:
that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
@@ -35,26 +29,11 @@
- include: collectd_agent.yml
when: (collectd_graphite_server is defined or collectd_riemann_server is defined or collectd_collectd_server is defined or collectd_statsd_server is defined) and not common_role_finished is defined
-- include: mail_forward.yml
- when: mail_root_alias is defined and not common_role_finished is defined
-
-- include: ldap_login.yml
- when: ldap_login_server is defined and not common_role_finished is defined
-
-- include: sudo.yml
- when: sudo|default(True) and not common_role_finished is defined
-
- include: ntp.yml
when: ntp|default(True) and not common_role_finished is defined
- include: unattended_upgrades.yml
when: unattended_upgrades|default(True) and ansible_os_family == 'Debian' and not common_role_finished is defined
-- include: lock_root.yml
- when: lock_root|default(True) and not common_role_finished is defined
-
-- include: stunnel.yml
- when: stunnel|default(True) and not common_role_finished is defined
-
- set_fact:
common_role_finished: True
diff --git a/tasks/openbsd_bootstrap.yml b/tasks/openbsd_bootstrap.yml
deleted file mode 100644
index 31ef049..0000000
--- a/tasks/openbsd_bootstrap.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-# Bootstrap an OpenBSD machine to be able to run Ansible on it.
-
-- name: Install Python
- raw: "PKG_PATH={{ openbsd_pkg_mirror }}/OpenBSD/$(uname -r)/packages/$(arch -s)/ /usr/sbin/pkg_add -I py-pip"
- register: openbsd_pkg_add_python
- changed_when: "'python' in openbsd_pkg_add_python.stdout"
-
-- name: Symlink python
- raw: ln -s /usr/local/bin/python2.7 /usr/bin/python
- register: symlink_python
- changed_when: not 'File exists' in symlink_python.stdout_lines[0]
- failed_when: symlink_python|failed and not 'File exists' in symlink_python.stdout_lines[0]
-
-- name: Gather facts
- setup:
-
-- name: Configure pkg
- lineinfile:
- dest: /etc/pkg.conf
- line: 'installpath = {{ openbsd_pkg_mirror }}/OpenBSD/{{ ansible_distribution_release }}/packages/{{ ansible_architecture }}/'
- regexp: '^installpath ='
- state: present
- create: yes
diff --git a/tasks/stunnel.yml b/tasks/stunnel.yml
deleted file mode 100644
index c404d76..0000000
--- a/tasks/stunnel.yml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-
-- assert:
- that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
-- name: apt install stunnel
- when: ansible_pkg_mgr == 'apt'
- apt:
- name: stunnel4
- state: present
- update_cache: yes
- cache_valid_time: 3600
-
-- name: pkg install stunnel
- when: ansible_pkg_mgr == 'openbsd_pkg'
- openbsd_pkg:
- name: '{{ openbsd_stunnel_version[ansible_distribution_release] }}'
- state: present
-
-- name: Configure stunnel
- with_dict:
- syslog: yes
- key: '{{ tls_key_path }}'
- cert: '{{ tls_cert_path }}'
- CAfile: '{{ ca_store[ansible_os_family] }}'
- ciphers: '!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1'
- options: NO_SSLv2
- options: NO_SSLv3
- lineinfile:
- dest: /etc/stunnel/stunnel.conf
- line: '{{ item.key }} = {{ item.value }}'
- regexp: '^{{ item.key }} ='
- state: present
- notify:
- - Restart stunnel
-
-- name: Allow stunnel to access the TLS key
- user:
- name: '{{ stunnel_user[ansible_os_family] }}'
- groups: ssl-cert
- append: yes
- state: present
- notify:
- - Restart stunnel
diff --git a/tasks/sudo.yml b/tasks/sudo.yml
deleted file mode 100644
index fe7dc90..0000000
--- a/tasks/sudo.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-- name: Assert
- assert:
- that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
-- name: Add sudo group
- group:
- name: sudo
- state: present
- system: yes
-
-- name: Give sudo group sudo permissions
- lineinfile:
- dest: '{{ sudoers_location[ansible_os_family] }}'
- line: '%sudo ALL=(ALL) NOPASSWD: ALL'
- regexp: '^%sudo'
diff --git a/vars/main.yml b/vars/main.yml
index 5926400..c143af8 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -15,51 +15,32 @@ backports_repo:
precise: http://archive.ubuntu.com/ubuntu precise-backports main universe multiverse
trusty: http://archive.ubuntu.com/ubuntu trusty-backports main universe multiverse
-sudoers_location:
- FreeBSD: '/usr/local/etc/sudoers'
- Debian: '/etc/sudoers'
- OpenBSD: '/etc/sudoers'
-
openbsd_collectd_version:
'5.5': 'collectd-4.10.2p4'
'5.6': 'collectd-4.10.2p4'
'5.7': 'collectd-5.4.1p1'
'5.8': 'collectd-5.5.0p1'
-openbsd_stunnel_version:
- '5.5': 'stunnel-4.56'
- '5.6': 'stunnel-5.00p0'
- '5.7': 'stunnel-5.06'
- '5.8': 'stunnel-5.19'
-
-openbsd_pkg_mirror: http://www.mirrorservice.org/pub
ca_store:
OpenBSD: /etc/ssl/cert.pem
Debian: /etc/ssl/certs/ca-certificates.crt
+
update_ca_certificates:
OpenBSD: /usr/local/sbin/update-ca-certificates
Debian: /usr/sbin/update-ca-certificates
-ssh_daemon:
- OpenBSD: sshd
- Debian: ssh
+
cert_dir:
OpenBSD: /etc/ssl/certs
Debian: /usr/local/share/ca-certificates
+
ntpd_conf:
OpenBSD: /etc/ntpd.conf
Debian: /etc/ntp.conf
+
ntp_pool:
OpenBSD: pool.ntp.org
Debian: debian.pool.ntp.org
+
ntpd_service:
OpenBSD: ntpd
Debian: ntp
-aliases_file:
- OpenBSD: /etc/mail/aliases
- Debian: /etc/aliases
-stunnel_service:
- OpenBSD: stunnel
- Debian: stunnel4
-stunnel_user:
- OpenBSD: _stunnel
- Debian: stunnel4
--
GitLab