- Removed stunnel, sudo, mail aliases, lock root and ldap login from role....

- Removed stunnel, sudo, mail aliases, lock root and ldap login from role. They're provided by dedicated roles.

- Removed stunnel, sudo, mail aliases, lock root and ldap login from role....
a7da5085 · nimrod · a6792aa5 · a7da5085 · a7da5085 · a6792aa5
Commit a7da5085 authored Jun 9, 2016 by nimrod
--- a/README.rst
+++ b/README.rst
@@ -28,9 +28,6 @@ Role Variables
    collectd_riemann_server:
    collectd_collectd_server:
    collectd_statsd_server:
-    mail_root_alias:
-    ldap_login_server:
-    sudo:
    ntp:
    unattended_upgrades:
    tls_cert: # Filename of the TLS cert for that host.

--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -14,11 +14,6 @@
    name: syslogd
    state: restarted

- name: Restart ssh
-  service:
-    name: '{{ ssh_daemon[ansible_os_family] }}'
-    state: restarted
-
 - name: Restart Collectd
  service:
    name: collectd
@@ -33,8 +28,3 @@
  service:
    name: systemd-timesyncd
    state: restarted
-
- name: Restart stunnel
-  service:
-    name: '{{ stunnel_service[ansible_os_family] }}'
-    state: restarted
--- a/tasks/ldap_login.yml
+++ b/tasks/ldap_login.yml
---
-
- name: Assert
-  assert:
-    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
- name: apt install
-  when: ansible_pkg_mgr == 'apt'
-  apt:
-    name: bash
-    state: present
-    update_cache: yes
-    cache_valid_time: 3600
-
- name: pkg install
-  when: ansible_pkg_mgr == 'openbsd_pkg'
-  openbsd_pkg:
-    name: bash
-    state: present
--- a/tasks/lock_root.yml
+++ b/tasks/lock_root.yml
---
-
- name: Disable root account
-  user:
-    name: root
-    password: '*************'
-  register: lock_root
-  changed_when: not (lock_root.stderr is defined and 'no changes' in lock_root.stderr)
-
- name: Disable root SSH login
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: 'PermitRootLogin no'
-    regexp: '^PermitRootLogin '
-  notify:
-  - Restart ssh
--- a/tasks/mail_forward.yml
+++ b/tasks/mail_forward.yml
---
-
- name: Assert
-  assert:
-    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
- name: apt install exim
-  when: ansible_pkg_mgr == 'apt'
-  apt:
-    name: exim4
-    state: present
-    update_cache: yes
-    cache_valid_time: 3600
-
- name: Set root mail alias
-  lineinfile:
-    dest: '{{ aliases_file[ansible_os_family] }}'
-    line: 'root: {{ mail_root_alias }}'
-    regexp: '^root:'
-  register: root_alias
-
- name: Update SMTPd database
-  when: ansible_os_family == 'OpenBSD' and root_alias.changed
-  command: /usr/sbin/makemap /etc/mail/aliases
--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
 # tasks file for ansible_common

- include: openbsd_bootstrap.yml
-  when: openbsd_bootstrap is defined
-
- setup:
-  when: openbsd_bootstrap is undefined
-
 - name: Assert
  assert:
    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
@@ -35,26 +29,11 @@
 - include: collectd_agent.yml
  when: (collectd_graphite_server is defined or collectd_riemann_server is defined or collectd_collectd_server is defined or collectd_statsd_server is defined) and not common_role_finished is defined

- include: mail_forward.yml
-  when: mail_root_alias is defined and not common_role_finished is defined
-
- include: ldap_login.yml
-  when: ldap_login_server is defined and not common_role_finished is defined
-
- include: sudo.yml
-  when: sudo|default(True) and not common_role_finished is defined
-
 - include: ntp.yml
  when: ntp|default(True) and not common_role_finished is defined

 - include: unattended_upgrades.yml
  when: unattended_upgrades|default(True) and ansible_os_family == 'Debian' and not common_role_finished is defined

- include: lock_root.yml
-  when: lock_root|default(True) and not common_role_finished is defined
-
- include: stunnel.yml
-  when: stunnel|default(True) and not common_role_finished is defined
-
 - set_fact:
    common_role_finished: True
--- a/tasks/openbsd_bootstrap.yml
+++ b/tasks/openbsd_bootstrap.yml
---
-# Bootstrap an OpenBSD machine to be able to run Ansible on it.
-
- name: Install Python
-  raw: "PKG_PATH={{ openbsd_pkg_mirror }}/OpenBSD/$(uname -r)/packages/$(arch -s)/ /usr/sbin/pkg_add -I py-pip"
-  register: openbsd_pkg_add_python
-  changed_when: "'python' in openbsd_pkg_add_python.stdout"
-
- name: Symlink python
-  raw: ln -s /usr/local/bin/python2.7 /usr/bin/python
-  register: symlink_python
-  changed_when: not 'File exists' in symlink_python.stdout_lines[0]
-  failed_when: symlink_python|failed and not 'File exists' in symlink_python.stdout_lines[0]
-
- name: Gather facts
-  setup:
-
- name: Configure pkg
-  lineinfile:
-    dest: /etc/pkg.conf
-    line: 'installpath = {{ openbsd_pkg_mirror }}/OpenBSD/{{ ansible_distribution_release }}/packages/{{ ansible_architecture }}/'
-    regexp: '^installpath ='
-    state: present
-    create: yes
--- a/tasks/stunnel.yml
+++ b/tasks/stunnel.yml
---
-
- assert:
-    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
- name: apt install stunnel
-  when: ansible_pkg_mgr == 'apt'
-  apt:
-    name: stunnel4
-    state: present
-    update_cache: yes
-    cache_valid_time: 3600
-
- name: pkg install stunnel
-  when: ansible_pkg_mgr == 'openbsd_pkg'
-  openbsd_pkg:
-    name: '{{ openbsd_stunnel_version[ansible_distribution_release] }}'
-    state: present
-
- name: Configure stunnel
-  with_dict:
-    syslog: yes
-    key: '{{ tls_key_path }}'
-    cert: '{{ tls_cert_path }}'
-    CAfile: '{{ ca_store[ansible_os_family] }}'
-    ciphers: '!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1'
-    options: NO_SSLv2
-    options: NO_SSLv3
-  lineinfile:
-    dest: /etc/stunnel/stunnel.conf
-    line: '{{ item.key }} = {{ item.value }}'
-    regexp: '^{{ item.key }} ='
-    state: present
-  notify:
-  - Restart stunnel
-
- name: Allow stunnel to access the TLS key
-  user:
-    name: '{{ stunnel_user[ansible_os_family] }}'
-    groups: ssl-cert
-    append: yes
-    state: present
-  notify:
-  - Restart stunnel
--- a/tasks/sudo.yml
+++ b/tasks/sudo.yml
---
-
- name: Assert
-  assert:
-    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
- name: Add sudo group
-  group:
-    name: sudo
-    state: present
-    system: yes
-
- name: Give sudo group sudo permissions
-  lineinfile:
-    dest: '{{ sudoers_location[ansible_os_family] }}'
-    line: '%sudo     ALL=(ALL) NOPASSWD: ALL'
-    regexp: '^%sudo'
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -15,51 +15,32 @@ backports_repo:
  precise: http://archive.ubuntu.com/ubuntu precise-backports main universe multiverse
  trusty: http://archive.ubuntu.com/ubuntu trusty-backports main universe multiverse

-sudoers_location:
-    FreeBSD: '/usr/local/etc/sudoers'
-    Debian: '/etc/sudoers'
-    OpenBSD: '/etc/sudoers'
-
 openbsd_collectd_version:
    '5.5': 'collectd-4.10.2p4'
    '5.6': 'collectd-4.10.2p4'
    '5.7': 'collectd-5.4.1p1'
    '5.8': 'collectd-5.5.0p1'

-openbsd_stunnel_version:
-    '5.5': 'stunnel-4.56'
-    '5.6': 'stunnel-5.00p0'
-    '5.7': 'stunnel-5.06'
-    '5.8': 'stunnel-5.19'
-
-openbsd_pkg_mirror: http://www.mirrorservice.org/pub
 ca_store:
    OpenBSD: /etc/ssl/cert.pem
    Debian: /etc/ssl/certs/ca-certificates.crt
+
 update_ca_certificates:
    OpenBSD: /usr/local/sbin/update-ca-certificates
    Debian: /usr/sbin/update-ca-certificates
-ssh_daemon:
-    OpenBSD: sshd
-    Debian: ssh
+
 cert_dir:
    OpenBSD: /etc/ssl/certs
    Debian: /usr/local/share/ca-certificates
+
 ntpd_conf:
    OpenBSD: /etc/ntpd.conf
    Debian: /etc/ntp.conf
+
 ntp_pool:
    OpenBSD: pool.ntp.org
    Debian: debian.pool.ntp.org
+
 ntpd_service:
    OpenBSD: ntpd
    Debian: ntp
-aliases_file:
-    OpenBSD: /etc/mail/aliases
-    Debian: /etc/aliases
-stunnel_service:
-    OpenBSD: stunnel
-    Debian: stunnel4
-stunnel_user:
-    OpenBSD: _stunnel
-    Debian: stunnel4