Seperate the long debian-server role to smaller tasks files.

caf211f2 · nimrod · c5fd0196 · caf211f2 · caf211f2 · caf211f2
Commit caf211f2 authored 4 years ago by nimrod
--- a/roles/debian_server/tasks/btrfs.yml
+++ b/roles/debian_server/tasks/btrfs.yml
+---
+- name: Copy btrfs backup script
+  copy:
+    dest: /usr/local/sbin/btrfs-backup
+    group: root
+    mode: preserve
+    owner: root
+    src: btrfs-backup
+- name: Create btrfs scrub services
+  # yamllint disable rule:line-length
+  loop: &btrfs_devices |-
+    {{ ansible_mounts|selectattr("fstype", "equalto", "btrfs")|map(attribute="device")|unique }}
+  # yamllint enable rule:line-length
+  ansible.builtin.template:
+    dest: /etc/systemd/system/scrub{{ name }}.service
+    mode: 0o0644
+    src: scrub.service.j2
+  vars: &btrfs_vars
+    device: '{{ item }}'
+    name: '{{ item|replace("/", "_") }}'
+  tags: [scrub]
+- name: Create btrfs scrub timers
+  loop: *btrfs_devices
+  ansible.builtin.template:
+    dest: /etc/systemd/system/scrub{{ name }}.timer
+    mode: 0o0644
+    src: scrub.timer.j2
+  vars: *btrfs_vars
+  tags: [scrub]
+- name: Enable the btrfs scrub timers
+  loop: *btrfs_devices
+  ansible.builtin.systemd:
+    enabled: true
+    name: scrub{{ name }}.timer
+    state: started
+  vars: *btrfs_vars
+  tags: [scrub]
--- a/roles/debian_server/tasks/docker.yml
+++ b/roles/debian_server/tasks/docker.yml
+---
+- name: Disable cgroup2 for Docker
+  lineinfile:
+    backup: true
+    line: |-
+      GRUB_CMDLINE_LINUX_DEFAULT="quiet systemd.unified_cgroup_hierarchy=0"
+    path: /etc/default/grub
+  notify:
+    - Update GRUB
+- name: Copy the script to start stopped container after a restart
+  copy:
+    dest: /usr/share/docker.io/restart-containers
+    mode: preserve
+    src: docker-restart
+- name: Create a drop-in directory for the Docker service
+  file:
+    path: /etc/systemd/system/docker.service.d
+    mode: 0o0755
+    state: directory
+- name: Restart stopped containers after a restart
+  copy:
+    content: |
+      [Service]
+      ExecStartPost=/usr/share/docker.io/restart-containers
+    dest: /etc/systemd/system/docker.service.d/restart-containers.conf
+    mode: 0o0644
+  notify:
+    - Systemd daemon reload
+- name: Allow default Docker network access to local services
+  community.general.ufw:
+    direction: in
+    interface: docker0
+    rule: allow
+- name: Set UID/GID mapping range
+  loop:
+    - /etc/subgid
+    - /etc/subuid
+  copy:
+    content: |
+      nimrod:100000:65536
+    dest: |-
+      {{ item }}
+    group: root
+    mode: 0o0644
+    owner: root
+- name: Allow unprivileged user namespaces
+  ansible.posix.sysctl:
+    name: kernel/unprivileged_userns_clone
+    state: present
+    value: "1"
--- a/roles/debian_server/tasks/main.yml
+++ b/roles/debian_server/tasks/main.yml
@@ -6,15 +6,6 @@
      - ansible_distribution_major_version|int >= 10
      - ansible_service_mgr == "systemd"
- name: Disable cgroup2 for Docker
-  lineinfile:
-    backup: true
-    line: |-
-      GRUB_CMDLINE_LINUX_DEFAULT="quiet systemd.unified_cgroup_hierarchy=0"
-    path: /etc/default/grub
-  notify:
-    - Update GRUB
 - name: Enable the backports repo
  loop:
    - deb
@@ -56,51 +47,17 @@
      - ufw
    state: present
- name: Copy the script to start stopped container after a restart
-  copy:
-    dest: /usr/share/docker.io/restart-containers
-    mode: preserve
-    src: docker-restart
- name: Create a drop-in directory for the Docker service
-  file:
-    path: /etc/systemd/system/docker.service.d
-    mode: 0o0755
-    state: directory
- name: Restart stopped containers after a restart
-  copy:
-    content: |
-      [Service]
-      ExecStartPost=/usr/share/docker.io/restart-containers
-    dest: /etc/systemd/system/docker.service.d/restart-containers.conf
-    mode: 0o0644
-  notify:
-    - Systemd daemon reload
 - name: Rate limit SSH
  community.general.ufw:
    rule: limit
    port: ssh
    proto: tcp
- name: Allow default Docker network access to local services
-  community.general.ufw:
-    direction: in
-    interface: docker0
-    rule: allow
 - name: Enable UFW
  community.general.ufw:
    default: reject
    state: enabled
- name: Allow unprivileged user namespaces
-  ansible.posix.sysctl:
-    name: kernel/unprivileged_userns_clone
-    state: present
-    value: "1"
 - name: Allow more inotify watches
  ansible.posix.sysctl:
    name: fs.inotify.max_user_watches
@@ -128,80 +85,6 @@
    regexp: swap
    state: absent
- name: Set UID/GID mapping range
-  loop:
-    - /etc/subgid
-    - /etc/subuid
-  copy:
-    content: |
-      nimrod:100000:65536
-    dest: |-
-      {{ item }}
-    group: root
-    mode: 0o0644
-    owner: root
- name: Create my www directory
-  file:
-    group: www-data
-    mode: 0o0755
-    owner: www-data
-    path: /var/www
-    state: directory
- name: Create an SSL directory under /var
-  file:
-    group: root
-    mode: 0o0755
-    owner: root
-    path: /var/ssl
-    state: directory
-# I know that I can use Ansible modules instead of calling OpenSSL directly, but
-# with the command module I can easily skip the task if the private key or the
-# certificate already exist. The point is to create an SSL and self-signed
-# certificate only as a bootstrap step. Once there is an existing (and assumed
-# valid) certificate, don't overwrite it.
- name: Create private SSL key
-  command:
-    cmd: openssl genrsa -out /var/ssl/site.key 4096
-    creates: /var/ssl/site.key
- name: Make sure the private key is accessible
-  file:
-    mode: 0o0444
-    path: /var/ssl/site.key
-    state: file
- name: Create SSL certificate
-  command:
-    cmd: >-
-      openssl
-      req
-      -x509
-      -out /var/ssl/site.crt
-      -nodes
-      -key /var/ssl/site.key
-      -batch
-    creates: /var/ssl/site.crt
- name: Create Diffie-Hellman Parameters file
-  community.crypto.openssl_dhparam:
-    force: false
-    mode: 0o0644
-    path: /var/ssl/dhparams
-    size: 4096
-    state: present
- name: Copy btrfs backup script
-  copy:
-    dest: /usr/local/sbin/btrfs-backup
-    group: root
-    mode: preserve
-    owner: root
-    src: btrfs-backup
 - name: Mail aliases
  loop:
    - root
@@ -235,34 +118,14 @@
    name: update.timer
    state: started
- name: Create btrfs scrub services
+- name: Include Docker tasks
-  # yamllint disable rule:line-length
+  ansible.builtin.include_tasks:
-  loop: &btrfs_devices |-
+    file: docker.yml
-    {{ ansible_mounts|selectattr("fstype", "equalto", "btrfs")|map(attribute="device")|unique }}
-  # yamllint enable rule:line-length
-  ansible.builtin.template:
-    dest: /etc/systemd/system/scrub{{ name }}.service
-    mode: 0o0644
-    src: scrub.service.j2
-  vars: &btrfs_vars
-    device: '{{ item }}'
-    name: '{{ item|replace("/", "_") }}'
-  tags: [scrub]
- name: Create btrfs scrub timers
+- name: Include web tasks
-  loop: *btrfs_devices
+  ansible.builtin.include_tasks:
-  ansible.builtin.template:
+    file: web.yml
-    dest: /etc/systemd/system/scrub{{ name }}.timer
-    mode: 0o0644
-    src: scrub.timer.j2
-  vars: *btrfs_vars
-  tags: [scrub]
- name: Enable the btrfs scrub timers
+- name: Include btrfs tasks
-  loop: *btrfs_devices
+  ansible.builtin.include_tasks:
-  ansible.builtin.systemd:
+    file: btrfs.yml
-    enabled: true
-    name: scrub{{ name }}.timer
-    state: started
-  vars: *btrfs_vars
-  tags: [scrub]
--- a/roles/debian_server/tasks/web.yml
+++ b/roles/debian_server/tasks/web.yml
+---
+- name: Create my www directory
+  file:
+    group: www-data
+    mode: 0o0755
+    owner: www-data
+    path: /var/www
+    state: directory
+- name: Create an SSL directory under /var
+  file:
+    group: root
+    mode: 0o0755
+    owner: root
+    path: /var/ssl
+    state: directory
+# I know that I can use Ansible modules instead of calling OpenSSL directly, but
+# with the command module I can easily skip the task if the private key or the
+# certificate already exist. The point is to create an SSL and self-signed
+# certificate only as a bootstrap step. Once there is an existing (and assumed
+# valid) certificate, don't overwrite it.
+- name: Create private SSL key
+  command:
+    cmd: openssl genrsa -out /var/ssl/site.key 4096
+    creates: /var/ssl/site.key
+- name: Make sure the private key is accessible
+  file:
+    mode: 0o0444
+    path: /var/ssl/site.key
+    state: file
+- name: Create SSL certificate
+  command:
+    cmd: >-
+      openssl
+      req
+      -x509
+      -out /var/ssl/site.crt
+      -nodes
+      -key /var/ssl/site.key
+      -batch
+    creates: /var/ssl/site.crt
+- name: Create Diffie-Hellman Parameters file
+  community.crypto.openssl_dhparam:
+    force: false
+    mode: 0o0644
+    path: /var/ssl/dhparams
+    size: 4096
+    state: present